Florida Auditor General Issues Report on Department of Veterans Affairs
SUMMARY
This operational audit of the
Procurement
Finding 1: In some instances, Department records did not adequately evidence the decision to noncompetitively procure contractual services and commodities, demonstrate compliance with State law, or evidence the economical reasonableness of the purchases.
Veteran Services Billing
Finding 2: Department controls for billing resident bed holds need enhancement.
Finding 3: As similarly noted in our report No. 2016-027, annual financial information used to verify resident income and determine resident assessments was not always obtained or timely updated at the nursing homes and Domiciliary. In addition, Department records did not always include appropriately completed financial agreement letters.
Information Technology Controls
Finding 4: As similarly noted in our report No. 2016-027, the Department had not established a risk management program or categorized information technology (IT) risks in accordance with governing rules.
Finding 5: Certain security controls related to vulnerability management need improvement to ensure the confidentiality, integrity, and availability of Department data and related IT resources. Finding 6: The Department did not timely obtain and review the independent service auditor's report related to the controls designed and established by the subservice organization used by the Department's vendor for
BACKGROUND
The
Pursuant to State law,3 the Department provides long-term residential health care and domiciliary services for honorably discharged veterans through six nursing homes and a Domiciliary (assisted living facility). State law4 requires the Department to operate the nursing homes under the State provisions for licensed health care facilities. Table 1 provides a listing of, and information related to, Department-operated residential facilities. The Department's main administrative office is located in
Click here to view table: https://flauditor.gov/pages/pdf_files/2019-013.pdf
The Department contracts with a vendor for
FINDINGS AND RECOMMENDATIONS PROCUREMENT
To provide for the health and safety of nursing home and Domiciliary residents, the Department procures services such as housekeeping, laundry, and facility repairs, and commodities such as equipment and food products. The Department,
Finding 1: Non-Competitive Contract Procurement
State law5 establishes that fair and open competition is a basic tenet of public procurement and that such competition reduces the appearance and opportunity for favoritism and inspires public confidence that contracts are awarded equitably and economically. State law further specifies that State agencies are to maintain detailed justification to support commodity and contractual service procurement decisions. When procuring commodities or contractual services in excess of
As part of our audit, we examined Department purchase orders and expenditure records related to 10 vendors to whom the Department paid
that:
* In
State law.
* During the period
* During the period
While the Department classified the purchase orders as sole source, Department records did not clearly evidence the basis for, and economical reasonableness of, the sole source purchases as the Department did not seek pricing from other vendors. For example, the Department obtained fresh produce through a Federal contract at the
Recommendation: We recommend that Department management take steps to ensure that commodities and contractual services are procured in accordance with State law. In addition, Department management should ensure that decisions to noncompetitively procure commodities and contractual services are clearly documented, demonstrate compliance with State law, and evidence the economical reasonableness of the purchases.
State law10 requires nursing home and Domiciliary residents to contribute to the cost of their care based on their income level. A resident may contribute through a private contract or, as applicable, an amount determined by Medicaid. The Department bills residents and other responsible parties monthly for cost of care contributions. In addition, the Department receives Federal funding from the
Finding 2: Bed Holds
Department policies and procedures specified that a nursing home resident may hold a bed during hospital stays or while on therapeutic leave.11 Department policies and procedures further specified, by resident payor status, the applicable bed hold rates and rules for private pay residents, Medicare and private insurance residents, and Medicaid residents.
As part of our audit, we examined Department billing records related to 29 residents12 for selected months during the period
*
*
*
Absent effective billing controls, the Department may not receive from residents, and Department records may not accurately reflect, the amount due for bed holds in accordance with Department policies and procedures. Recommendation: We recommend that Department management enhance billing procedures to ensure the residents are appropriately billed for bed holds.
Finding 3: Resident Financial Information
Department policies and procedures13 required that every
* 30 of the 136 Domiciliary residents returned completed Financial Data Update forms 1 to 15 days (an average of 5 days) after the
* 7 of the 56 nursing home residents returned completed Financial Data Update forms 1 to 175 days (an average of 44 days) after the
* Financial agreement letters for 3
As the Financial Data Update form provides resident financial information necessary for accurately determining resident assessments, it is critical that nursing homes and the Domiciliary timely receive all forms when due. Absent effective resident contribution determination processes that include controls and procedures designed to obtain signed financial agreement letters, there is an increased risk that Department records will not accurately reflect resident contribution amounts and applicable effective dates. Recommendation: We recommend that Department management take appropriate steps to promote the timely receipt of Financial Data Update forms and ensure that Department records evidence the appropriate completion of all required financial agreement letters.
INFORMATION TECHNOLOGY CONTROLS
State law14 requires State agencies to establish information security controls to ensure the security of agency data, information, and information technology (IT) resources. Additionally,
IT controls need improvement.
Finding 4: Risk Management
AST rules16 specify that State agencies are to identify and manage the cybersecurity risk to agency operations, agency assets, and individuals. Those rules also specify that, when assessing potential impacts to security objectives, State agencies are to categorize IT risks according to Federal Information Processing Standards (FIPS) Publication 199.
In our report No. 2016-027 (Finding 6), we not
ed that the Department had not established a risk management program or categorized IT risks in accordance with FIPS Publication 199. Our follow-up audit inquiries of Department management disclosed that, as of
documented and approved risk management program and categorize IT risks in accordance with FIPS Publication 199.
Finding 5: Security Controls - Vulnerability Management
Security controls are intended to protect the confidentiality, integrity, and availability of data and related IT resources. Our audit procedures disclosed that certain security controls related to vulnerability management need improvement. We are not disclosing specific details of the issues in this report to avoid the possibility of compromising Department data and other Department IT resources. However, we have notified appropriate Department management of the specific issues. Without appropriate security controls related to vulnerability management, the risk is increased that the confidentiality, integrity, and availability of Department data and IT resources may be compromised.
Recommendation: We recommend that Department management improve certain security controls related to vulnerability management to ensure the confidentiality, integrity, and availability of Department data and other Department IT resources. Finding 6: Evaluation of Service Auditor's Reports As noted in the BACKGROUND, the Department contracted with a vendor for
As similarly noted in our report No. 2016-027 (Finding 8), our audit disclosed that, while the Department had requested and reviewed an independent service auditor's report on the effectiveness of the controls established by the vendor for
When service organizations utilize subservice organizations to perform services for the Department, it is critical that the Department timely request, receive, and review the service auditor's report to gain assurance that the design and operating effectiveness of the subservice organization's controls have been appropriately evaluated. Additionally, the establishment of a policy and procedure for monitoring the activities of third-party IT service providers would provide Department management greater assurance that such providers are complying with Department requirements.
Recommendation: We recommend that Department management timely request, obtain, and document reviews of, service auditor's reports on the effectiveness of subservice organization controls established for
PRIOR AUDIT FOLLOW-UP Except as discussed in the preceding paragraphs, the Department had taken corrective actions for the findings included in our report No. 2016-027.
OBJECTIVES,
The Auditor General conducts operational audits of governmental entities to provide the Legislature,
We conducted this operational audit from
This operational audit of the
* To evaluate management's performance in establishing and maintaining internal controls, including controls designed to prevent and detect fraud, waste, and abuse, and in administering assigned responsibilities in accordance with applicable laws, administrative rules, contracts, grant agreements, and other guidelines.
* To examine internal controls designed and placed in operation to promote and encourage the achievement of management's control objectives in the categories of compliance, economic and efficient operations, the reliability of records and reports, and the safeguarding of assets, and
identify weaknesses in those internal controls.
* To identify statutory and fiscal changes that may be recommended to the Legislature pursuant to Section 11.45(7)(h), Florida Statutes.
Our audit also included steps to determine whether management had corrected, or was in the process of correcting, all deficiencies noted in our report No. 2016-027.
This audit was designed to identify, for those programs, activities, or functions included within the scope of the audit, deficiencies in management's internal controls, instances of noncompliance with applicable governing laws, rules, or contracts, and instances of inefficient or ineffective operational policies, procedures, or practices. The focus of this audit was to identify problems so that they may be corrected in such a way as to improve government accountability and efficiency and the stewardship of management. Professional judgment has been used in determining significance and audit risk and in selecting the particular transactions, legal compliance matters, records, and controls considered.
As described in more detail below, for those programs, activities, and functions included within the scope of our audit, our audit work included, but was not limited to, communicating to management and those charged with governance the scope, objectives, timing, overall methodology, and reporting of our audit; obtaining an understanding of the program, activity, or function; exercising professional judgment in considering significance and audit risk in the design and execution of the research, interviews, tests, analyses, and other procedures included in the audit methodology; obtaining reasonable assurance of the overall sufficiency and appropriateness of the evidence gathered in support of our audit's findings and conclusions; and reporting on the results of the audit as required by governing laws and auditing standards.
Our audit included the selection and examination of transactions and records. Unless otherwise indicated in this report, these transactions and records were not selected with the intent of statistically projecting the results, although we have presented for perspective, where practicable, information concerning relevant population value or size and quantifications relative to the items selected for examination. An audit by its nature, does not include a review of all records and actions of agency management, staff, and vendors, and as a consequence, cannot be relied upon to identify all instances of noncompliance, fraud, abuse, or inefficiency.
In conducting our audit, we:
* Reviewed applicable laws, rules, Department policies and procedures, and other guidelines, and interviewed Department personnel to obtain an understanding of veteran services billing and nursing homes and Domiciliary expenditures.
* From the population of 428 vendors to whom the Department made noncompetitive procurement-related payments totaling
* From MatrixCare and the population of 878 residents with outstanding accounts receivable balances as of
* Analyzed MatrixCare and Florida Accounting Information Resource Subsystem (FLAIR) records as of
* From the population of 1,454 residents the Department billed for services totaling
* From the population of 1,491 non-payroll expenditure transactions greater than or equal to
*
Specifically, we:
* Performed inquiries of the Lopez, Nininger, and Sims Nursing Home Administrators and reviewed Department policies and procedures related to the restrictive endorsement of checks to determine whether Department policies and procedures identified the employees responsible for endorsing checks and addressed controls designed to ensure that checks were restrictively endorsed at the time of receipt, all transfers of collections between employees were documented, and collection receipts were timely reconciled to bank deposit records.
* From the population of deposits for room and board and meals at the Bennett, Lopez, and
* Examined the 2016 Domiciliary Annual Financial Update Tracking log to determine whether Financial Data Update forms for the 136 residents required to complete a form were timely completed in accordance with Department policies and procedures.
* From the population of 491
* Performed inquiries of the Bennett and Sims Nursing Home Business Managers and reviewed Department Medicaid asset limit policies and procedures to determine whether the policies and procedures identified the anticipated costs that may be factored into, and the resources that may be excluded from, the determination of a resident's trust fund account balance for Medicaid asset limit purposes.
*
* From the population of 76 residents discharged from the
* Performed inquiries of Department management to determine whether the Department had implemented a risk management program to identify and manage cybersecurity risk to Department operations, assets, and individuals, categorized information technology (IT) risks in accordance with Federal Information Processing Standards Publication 199, and established policies, procedures, and processes for vulnerability management.
* Performed inquiries of the Chief Information Officer and examined the Department's Continuity of Operations Plan, disaster recovery procedures, and other records to determine whether the Plan, procedures, and other records included enhanced back-up, back-up location, and recovery of all critical IT systems and data provisions, and whether Department records evidenced recovery test results.
* Performed inquiries of the Chief Information Officer, reviewed Department policies and procedures related to evaluating third-party IT service provider auditor reports, and examined Department records to determine whether the Department timely requested, obtained, and documented reviews of, service auditor reports on the effectiveness of service organization and subservice organization controls established for
* Performed inquiries of the Chief Information Officer and reviewed Department policies and procedures related to each IT function to determine whether Department policies and procedures appropriately addressed each identified IT function.
* From the population of 183
* Reviewed applicable laws, rules, and other State guidelines to obtain an understanding of the legal framework governing Department operations.
* Observed, documented, and evaluated the effectiveness of selected Department processes and procedures for:
* Managing IT system access privileges, settlement agreements, fixed capital outlay projects, and financial reconciliations.
* The administration of Department contracts. During the period
* The acquisition and management of real property leases in accordance with State law,
* Collecting and utilizing individuals' social security numbers in accordance with statutory requirements.
* The administration of tangible personal property in accordance with applicable guidelines. As of
* The administration of Department travel in accordance with State law and other applicable guidelines. During the period
* Communicated on an interim basis with applicable officials to ensure the timely resolution of issues involving controls and noncompliance.
* Performed various other auditing procedures, including analytical procedures, as necessary, to accomplish the objectives of the audit.
* Prepared and submitted for management response the findings and recommendations that are included in this report and which describe the matters requiring corrective actions. Management's response is included in this report under the heading MANAGEMENT'S RESPONSE.
AUTHORITY
Section 11.45, Florida Statutes, requires that the Auditor General conduct an operational audit of each State agency on a periodic basis. Pursuant to the provisions of Section 11.45, Florida Statutes, I have directed that this report be prepared to present the results of our operational audit.
Auditor General
Go ‘Back to School’ With Education and Information From TDCI
Good News: More Companies are Offering Health Insurance, and More Workers Are Eligible for Coverage
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News