Florida Auditor General Issues Report on Department of Veterans Affairs

TALLAHASSEE, Florida, Aug. 22 -- The office of the Florida Auditor General released the following report:

SUMMARY

This operational audit of the Department of Veterans' Affairs (Department) focused on procurement and veteran services billing. The audit also included a follow-up on the findings noted in our report No. 2016-027. Our audit disclosed the following:

Procurement

Finding 1: In some instances, Department records did not adequately evidence the decision to noncompetitively procure contractual services and commodities, demonstrate compliance with State law, or evidence the economical reasonableness of the purchases.

Veteran Services Billing

Finding 2: Department controls for billing resident bed holds need enhancement.

Finding 3: As similarly noted in our report No. 2016-027, annual financial information used to verify resident income and determine resident assessments was not always obtained or timely updated at the nursing homes and Domiciliary. In addition, Department records did not always include appropriately completed financial agreement letters.

Information Technology Controls

Finding 4: As similarly noted in our report No. 2016-027, the Department had not established a risk management program or categorized information technology (IT) risks in accordance with governing rules.

Finding 5: Certain security controls related to vulnerability management need improvement to ensure the confidentiality, integrity, and availability of Department data and related IT resources. Finding 6: The Department did not timely obtain and review the independent service auditor's report related to the controls designed and established by the subservice organization used by the Department's vendor for MatrixCare. A similar finding was included in our report No. 2016-027.

BACKGROUND

The Department of Veterans' Affairs (Department) is a Cabinet agency created to assist all former, present, and future members of the Armed Forces of the United States and their dependents in preparing claims for and securing compensation, hospitalization, career training, and other benefits or privileges to which such persons are, or may become, entitled to under Federal or State law or regulation as a result of their service in the Armed Forces.1 The Department provides advocacy and representation for many of the State's 1.5 million veterans and their families.2

Pursuant to State law,3 the Department provides long-term residential health care and domiciliary services for honorably discharged veterans through six nursing homes and a Domiciliary (assisted living facility). State law4 requires the Department to operate the nursing homes under the State provisions for licensed health care facilities. Table 1 provides a listing of, and information related to, Department-operated residential facilities. The Department's main administrative office is located in Largo, Florida.

Click here to view table: https://flauditor.gov/pages/pdf_files/2019-013.pdf

The Department contracts with a vendor for MatrixCare, an electronic health records system used by the Department to manage the financial and clinical functions of the Department's nursing homes and Domiciliary. Prior to MatrixCare, the Department utilized the UltraCare for Windows database (UltraCare) to execute these functions. The Department still utilizes UltraCare for resident accounts with active balances prior to August 2014 that are awaiting final resolution. As necessary, the Department updates records in both systems to reflect modifications to existing benefits and claims.

FINDINGS AND RECOMMENDATIONS PROCUREMENT

To provide for the health and safety of nursing home and Domiciliary residents, the Department procures services such as housekeeping, laundry, and facility repairs, and commodities such as equipment and food products. The Department, Division of Administration (Division), responsibilities include developing, maintaining, and disseminating uniform Department policies, procedures, and guidelines governing Department procurement activities. In addition, the Division is responsible for reviewing budgets, processing purchase requisitions, and creating purchase orders. During the period July 2015 through January 2017, Department nursing home and Domiciliary expenditures totaled $125,461,356.

Finding 1: Non-Competitive Contract Procurement

State law5 establishes that fair and open competition is a basic tenet of public procurement and that such competition reduces the appearance and opportunity for favoritism and inspires public confidence that contracts are awarded equitably and economically. State law further specifies that State agencies are to maintain detailed justification to support commodity and contractual service procurement decisions. When procuring commodities or contractual services in excess of $35,000, State agencies are to use the competitive solicitation processes authorized by State law.6 However, State law7 also provides certain exemptions to the competitive procurement requirements, such as emergency and sole source purchases greater than $35,000. For emergency purchases, State law8 requires agency heads to determine in writing that an immediate danger to the public health, safety, or welfare or other substantial loss to the State requires emergency action. State law also requires agencies to obtain pricing information from at least two prospective vendors, unless the agency determines in writing that the time required to obtain pricing information will increase the immediate danger to the public health, safety, or welfare or other substantial loss to the State. State agencies are to provide copies of emergency purchase determinations to the Department of Management Services and the Chief Financial Officer. For sole source purchases, State law9 requires State agencies to electronically post a description of the commodities or contractual services sought for at least 7 business days. After reviewing any information received from prospective vendors, if the agency determines in writing that the commodities or contractual services are available only from a single source, the agency is to provide notice of its intended decision to enter a sole source contract.

As part of our audit, we examined Department purchase orders and expenditure records related to 10 vendors to whom the Department paid $401,422 for goods or services procured through non-competitive means during the period July 2015 through January 2017. Our examination disclosed

that:

* In August 2015, the Department issued a $50,000 purchase order to a vendor to rebuild two Jacobson Nursing Home resident rooms, including bathrooms, that suffered water damage. However, although 10 days elapsed between the date the Department documented in an internal memorandum that an emergency existed and the date the residents were moved to other rooms, the Department did not obtain quotes from two prospective vendors, or document that the time required to obtain pricing information would have increased the immediate danger to the public health, safety, or welfare or other substantial loss to the State. In addition, the Department did not provide the Department of Management Services with documents relating to the notice of an emergency purchase. Department expenditures related to the rebuild and repair of the rooms totaled $47,370. In response to our audit inquiry, Department management indicated that the Department considered their internal memorandum to satisfy the documentation requirements of

State law.

* During the period July 2015 through January 2017, the Department expended $118,318 for bread delivered to the Domiciliary and six nursing homes. The expenditures were paid to four vendors to which the Department issued 28 purchase orders, totaling $195,905, including two vendors each to which the Department issued purchase orders totaling over $35,000. The Department classified each of the 28 purchase orders as sole source. However, the Department did not electronically post a description of the bread and the related delivery services sought for the two vendors that had combined purchase orders totaling over $35,000 as specified by State law, and Department records did not otherwise clearly evidence the economical reasonableness of any of the sole source purchases. In response to our audit inquiry, Department management indicated that the Department had last sought quotes from other vendors in June 2013.

* During the period July 2015 through January 2017, the Department issued 11 sole source purchase orders, totaling $204,733, to five vendors for fresh produce delivered to the Domiciliary and Bennett, Lassen, Lopez, and Nininger Nursing Homes.

While the Department classified the purchase orders as sole source, Department records did not clearly evidence the basis for, and economical reasonableness of, the sole source purchases as the Department did not seek pricing from other vendors. For example, the Department obtained fresh produce through a Federal contract at the Jacobson and Sims Nursing Homes. However, the Department did not perform a pricing comparison between the Federal vendor and the vendors who served the Domiciliary and the Bennett, Lassen, Lopez, and Nininger Nursing Homes. Department expenditures for fresh produce delivered to the Domiciliary and Bennett, Lassen, Lopez, and Nininger Nursing Homes totaled $112,010 during the period July 2015 through January 2017. State law provides certain exemptions to competitive procurement requirements; however, when used, these exemptions increase the risk that contracts may not be awarded equitably and economically. Therefore, it is important that decisions to noncompetitively procure commodities and contractual services are clearly documented, demonstrate compliance with State law, and evidence the economical reasonableness of the purchases.

Recommendation: We recommend that Department management take steps to ensure that commodities and contractual services are procured in accordance with State law. In addition, Department management should ensure that decisions to noncompetitively procure commodities and contractual services are clearly documented, demonstrate compliance with State law, and evidence the economical reasonableness of the purchases.

State law10 requires nursing home and Domiciliary residents to contribute to the cost of their care based on their income level. A resident may contribute through a private contract or, as applicable, an amount determined by Medicaid. The Department bills residents and other responsible parties monthly for cost of care contributions. In addition, the Department receives Federal funding from the United States Department of Veterans' Affairs, including monthly per diem and 70 to 100 percent service-connected disability benefits for eligible veterans. The Department also bills Medicare, Medicaid, hospice, and private insurance, as applicable.

Finding 2: Bed Holds

Department policies and procedures specified that a nursing home resident may hold a bed during hospital stays or while on therapeutic leave.11 Department policies and procedures further specified, by resident payor status, the applicable bed hold rates and rules for private pay residents, Medicare and private insurance residents, and Medicaid residents.

As part of our audit, we examined Department billing records related to 29 residents12 for selected months during the period July 2015 through January 2017 to determine whether the Department appropriately billed nursing home residents for bed holds. Our examination disclosed that, due to nursing home staff oversights, the Jacobson, Lopez, and Nininger Nursing Homes did not always appropriately bill residents for bed holds in accordance with Department policies and procedures. Specifically:

* Jacobson Nursing Home staff did not bill one resident for the final 6 days of a 16-day bed hold in September 2016, which resulted in an $1,683 underbilling. Subsequent to our audit inquiry in July 2017, the resident was billed for the amount owed.

* Lopez Nursing Home staff billed one resident the incorrect rate for a 22-day bed hold in June 2016, which resulted in an $104 underbilling. Subsequent to our audit inquiry, the resident's account was adjusted to reflect the correct billing rate, as the resident was deceased.

* Nininger Nursing Home staff did not bill one resident for the final 3 days of a 13-day bed hold in November 2016, resulting in an $882 underbilling. Subsequent to our audit inquiry, the resident was billed for the amount owed.

Absent effective billing controls, the Department may not receive from residents, and Department records may not accurately reflect, the amount due for bed holds in accordance with Department policies and procedures. Recommendation: We recommend that Department management enhance billing procedures to ensure the residents are appropriately billed for bed holds.

Finding 3: Resident Financial Information

Department policies and procedures13 required that every January 1st nursing home and Domiciliary business office staff update each resident's financial status utilizing information provided on a Financial Data Update form to determine if there were any changes in the amounts or types of moneys received by the resident. The policies and procedures specified that a form was to be completed by each resident, their family members, or legal guardian, as appropriate, and returned along with supporting documentation (e.g., monetary award letters, income tax returns) to the facility's business office no later than February 15th each calendar year. If a billing change was required based on the updated financial information, Department policies and procedures required nursing home or Domiciliary business office staff to send a financial agreement letter to the resident, family member, or legal guardian indicating the new rate and the effective date of the change. Business office staff were to maintain a copy of the letter signed by the resident, family member, or legal guardian in the resident's financial file and in MatrixCare. In our report No. 2016-027 (Finding 2), we noted that annual resident financial updates were not always timely completed at the Domiciliary. As part of our follow-up audit procedures, we examined the Domiciliary's 2016 Annual Financial Update Tracking log to determine whether the Department ensured that a Financial Data Update form was timely completed for the 136 residents required to complete the form. We also examined Department records for 56 nursing home and 4 Domiciliary residents to determine whether Financial Data Update forms were timely completed for the 2016 calendar year and whether the amounts billed for residents' services were correctly calculated and supported by signed financial agreement letters, as applicable. Our audit procedures disclosed that:

* 30 of the 136 Domiciliary residents returned completed Financial Data Update forms 1 to 15 days (an average of 5 days) after the February 15th deadline.

* 7 of the 56 nursing home residents returned completed Financial Data Update forms 1 to 175 days (an average of 44 days) after the February 15th deadline, and 6 other residents did not return a completed Financial Data Update form.

* Financial agreement letters for 3 Nininger Nursing Home residents lacked signatures and the financial agreement letter for another resident was not on file or in MatrixCare.

As the Financial Data Update form provides resident financial information necessary for accurately determining resident assessments, it is critical that nursing homes and the Domiciliary timely receive all forms when due. Absent effective resident contribution determination processes that include controls and procedures designed to obtain signed financial agreement letters, there is an increased risk that Department records will not accurately reflect resident contribution amounts and applicable effective dates. Recommendation: We recommend that Department management take appropriate steps to promote the timely receipt of Financial Data Update forms and ensure that Department records evidence the appropriate completion of all required financial agreement letters.

INFORMATION TECHNOLOGY CONTROLS

State law14 requires State agencies to establish information security controls to ensure the security of agency data, information, and information technology (IT) resources. Additionally, Agency for State Technology (AST) rules15 establish minimum security standards for ensuring the confidentiality, integrity, and availability of State agency data, information, and IT resources. As part of our audit, we evaluated selected Department IT controls. As discussed in Findings 4 through 6, we noted areas in which

IT controls need improvement.

Finding 4: Risk Management

AST rules16 specify that State agencies are to identify and manage the cybersecurity risk to agency operations, agency assets, and individuals. Those rules also specify that, when assessing potential impacts to security objectives, State agencies are to categorize IT risks according to Federal Information Processing Standards (FIPS) Publication 199.

In our report No. 2016-027 (Finding 6), we not

ed that the Department had not established a risk management program or categorized IT risks in accordance with FIPS Publication 199. Our follow-up audit inquiries of Department management disclosed that, as of May 2018, the Department still had not implemented a risk management program to identify and manage cybersecurity risk to Department operations, assets, and individuals, or categorized IT risks in accordance with FIPS Publication 199. A documented, approved, and implemented risk management program helps management effectively identify and manage risks to Department operations, assets, and individuals, and better ensures the appropriate testing of critical IT controls. Recommendation: We again recommend that Department management implement a

documented and approved risk management program and categorize IT risks in accordance with FIPS Publication 199.

Finding 5: Security Controls - Vulnerability Management

Security controls are intended to protect the confidentiality, integrity, and availability of data and related IT resources. Our audit procedures disclosed that certain security controls related to vulnerability management need improvement. We are not disclosing specific details of the issues in this report to avoid the possibility of compromising Department data and other Department IT resources. However, we have notified appropriate Department management of the specific issues. Without appropriate security controls related to vulnerability management, the risk is increased that the confidentiality, integrity, and availability of Department data and IT resources may be compromised.

Recommendation: We recommend that Department management improve certain security controls related to vulnerability management to ensure the confidentiality, integrity, and availability of Department data and other Department IT resources. Finding 6: Evaluation of Service Auditor's Reports As noted in the BACKGROUND, the Department contracted with a vendor for MatrixCare, an electronic health record system used by the Department to process administrative, billing, financial, and clinical record transactions. The contract included provisions requiring compliance with, among other things, data backup and off-site storage requirements, disaster recovery plans, and minimum service levels. The vendor utilized a subservice organization to host and support MatrixCare, including services such as anti-virus, firewall, and intrusion detection, network and storage administration, and backup and recovery management. As the Department relies on MatrixCare, and the sensitive and confidential information contained therein, to provide veterans' services, it is incumbent upon the Department to take steps to reasonably ensure the integrity, reliability, and security of MatrixCare data. Such steps may include requiring the service organization to provide a service auditor's report17 on the effectiveness of the controls established by the organization for MatrixCare or, alternatively, Department monitoring of the effectiveness of relevant service organization controls. Additionally, when the service organization utilizes a subservice organization to perform services for the Department, it is necessary for the Department to obtain assurances regarding the subservice organization's controls relevant to those services.

As similarly noted in our report No. 2016-027 (Finding 8), our audit disclosed that, while the Department had requested and reviewed an independent service auditor's report on the effectiveness of the controls established by the vendor for MatrixCare, the report did not include the controls and related control objectives of the subservice organization. Although the most recent service auditor's report for the subservice organization, dated December 9, 2016, was available, the Department did not request or review the report until after our audit inquiry in July 2017. In addition, we noted that the Department had not established a policy and procedure for monitoring third-party IT service provider compliance with Department requirements.

When service organizations utilize subservice organizations to perform services for the Department, it is critical that the Department timely request, receive, and review the service auditor's report to gain assurance that the design and operating effectiveness of the subservice organization's controls have been appropriately evaluated. Additionally, the establishment of a policy and procedure for monitoring the activities of third-party IT service providers would provide Department management greater assurance that such providers are complying with Department requirements.

Recommendation: We recommend that Department management timely request, obtain, and document reviews of, service auditor's reports on the effectiveness of subservice organization controls established for MatrixCare. Additionally, to better ensure compliance with Department requirements, we again recommend that Department management establish a policy and procedure for monitoring the activities of third-party IT service providers.

PRIOR AUDIT FOLLOW-UP Except as discussed in the preceding paragraphs, the Department had taken corrective actions for the findings included in our report No. 2016-027.

OBJECTIVES, SCOPE, AND METHODOLOGY

The Auditor General conducts operational audits of governmental entities to provide the Legislature, Florida's citizens, public entity management, and other stakeholders unbiased, timely, and relevant information for use in promoting government accountability and stewardship and improving government operations.

We conducted this operational audit from February 2017 through June 2018 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

This operational audit of the Department of Veterans' Affairs (Department) focused on procurement, veteran services billing, and nursing home and Domiciliary expenditures. The overall objectives of the audit were:

* To evaluate management's performance in establishing and maintaining internal controls, including controls designed to prevent and detect fraud, waste, and abuse, and in administering assigned responsibilities in accordance with applicable laws, administrative rules, contracts, grant agreements, and other guidelines.

* To examine internal controls designed and placed in operation to promote and encourage the achievement of management's control objectives in the categories of compliance, economic and efficient operations, the reliability of records and reports, and the safeguarding of assets, and

identify weaknesses in those internal controls.

* To identify statutory and fiscal changes that may be recommended to the Legislature pursuant to Section 11.45(7)(h), Florida Statutes.

Our audit also included steps to determine whether management had corrected, or was in the process of correcting, all deficiencies noted in our report No. 2016-027.

This audit was designed to identify, for those programs, activities, or functions included within the scope of the audit, deficiencies in management's internal controls, instances of noncompliance with applicable governing laws, rules, or contracts, and instances of inefficient or ineffective operational policies, procedures, or practices. The focus of this audit was to identify problems so that they may be corrected in such a way as to improve government accountability and efficiency and the stewardship of management. Professional judgment has been used in determining significance and audit risk and in selecting the particular transactions, legal compliance matters, records, and controls considered.

As described in more detail below, for those programs, activities, and functions included within the scope of our audit, our audit work included, but was not limited to, communicating to management and those charged with governance the scope, objectives, timing, overall methodology, and reporting of our audit; obtaining an understanding of the program, activity, or function; exercising professional judgment in considering significance and audit risk in the design and execution of the research, interviews, tests, analyses, and other procedures included in the audit methodology; obtaining reasonable assurance of the overall sufficiency and appropriateness of the evidence gathered in support of our audit's findings and conclusions; and reporting on the results of the audit as required by governing laws and auditing standards.

Our audit included the selection and examination of transactions and records. Unless otherwise indicated in this report, these transactions and records were not selected with the intent of statistically projecting the results, although we have presented for perspective, where practicable, information concerning relevant population value or size and quantifications relative to the items selected for examination. An audit by its nature, does not include a review of all records and actions of agency management, staff, and vendors, and as a consequence, cannot be relied upon to identify all instances of noncompliance, fraud, abuse, or inefficiency.

In conducting our audit, we:

* Reviewed applicable laws, rules, Department policies and procedures, and other guidelines, and interviewed Department personnel to obtain an understanding of veteran services billing and nursing homes and Domiciliary expenditures.

* From the population of 428 vendors to whom the Department made noncompetitive procurement-related payments totaling $3,367,349 during the period July 2015 through January 2017, examined Department records for payments, totaling $401,422, made to 10 selected vendors to determine whether the goods or services related to the payments were procured in accordance with State law.

* From MatrixCare and the population of 878 residents with outstanding accounts receivable balances as of June 30, 2016, totaling $5,745,542, examined Department records for 60 selected residents with accounts receivable balances totaling $778,517 to determine whether the accounts receivable balances were correctly calculated and whether any delinquent balances were reported to the Chief Financial Officer in accordance with State law.

* Analyzed MatrixCare and Florida Accounting Information Resource Subsystem (FLAIR) records as of June 30, 2016, to determine whether the Department appropriately recorded in FLAIR all accounts receivable balances related to services provided to residents.

* From the population of 1,454 residents the Department billed for services totaling $101,335,490 during the period July 2015 through January 2017, examined Department records for 60 selected residents billed for services totaling $927,082 to determine whether Department billing processes and related controls were adequately designed and effectively implemented to ensure that residential health care and Domiciliary services were properly billed and accounted for.

* From the population of 1,491 non-payroll expenditure transactions greater than or equal to $100 and totaling $3,448,406, made by Department nursing homes and the Domiciliary during the period July 2015 through January 2017, examined Department records for 60 selected expenditure transactions, totaling $59,129, to determine whether the expenditures were properly approved by Department management, accurately recorded in FLAIR, adequately supported, and made in accordance with applicable laws, rules, regulations, policies and procedures, and other guidelines.

* Evaluated Department actions to correct the findings noted in our report No. 2016-027.

Specifically, we:

* Performed inquiries of the Lopez, Nininger, and Sims Nursing Home Administrators and reviewed Department policies and procedures related to the restrictive endorsement of checks to determine whether Department policies and procedures identified the employees responsible for endorsing checks and addressed controls designed to ensure that checks were restrictively endorsed at the time of receipt, all transfers of collections between employees were documented, and collection receipts were timely reconciled to bank deposit records.

* From the population of deposits for room and board and meals at the Bennett, Lopez, and Nininger Nursing Homes, totaling $16,265,195, made during the period January 2016 through January 2017, examined Department records for 55 selected deposits, totaling $1,382,473, to determine whether transfers of collections between employees were adequately documented and collection receipts were timely reconciled to bank deposits.

* Examined the 2016 Domiciliary Annual Financial Update Tracking log to determine whether Financial Data Update forms for the 136 residents required to complete a form were timely completed in accordance with Department policies and procedures.

* From the population of 491 Resident Deposit Trust Fund check disbursements, totaling $1,536,939, made during the period February 2016 through January 2017 at the Nininger and Sims Nursing Homes, examined Department records for 20 selected disbursements, totaling $38,503, to determine whether the disbursements were made in accordance with Department policies and procedures.

* Performed inquiries of the Bennett and Sims Nursing Home Business Managers and reviewed Department Medicaid asset limit policies and procedures to determine whether the policies and procedures identified the anticipated costs that may be factored into, and the resources that may be excluded from, the determination of a resident's trust fund account balance for Medicaid asset limit purposes.

* Examined Department records to determine whether 20 selected Medicaid recipients at the Bennett and Sims Nursing Homes were timely and properly notified of potential Medicaid program ineligibility. For the Bennett Nursing Home, we selected and examined Department records for 7 and 3 Medicaid recipients, respectively, from the population of 48 Medicaid recipients during January 2016 and 64 Medicaid recipients during July 2016; and, for the Sims Nursing Home, we selected and examined Department records for 4, 3, and 3 Medicaid recipients, respectively, from the population of 29 Medicaid recipients during January 2016, 29 Medicaid recipients during July 2016, and 32 Medicaid recipients during January 2017.

* From the population of 76 residents discharged from the Nininger Nursing Home during the period December 2015 through January 2017, examined Department records for 15 selected residents to determine whether all resident funds were disbursed to the resident or their beneficiary within 30 days.

* Performed inquiries of Department management to determine whether the Department had implemented a risk management program to identify and manage cybersecurity risk to Department operations, assets, and individuals, categorized information technology (IT) risks in accordance with Federal Information Processing Standards Publication 199, and established policies, procedures, and processes for vulnerability management.

* Performed inquiries of the Chief Information Officer and examined the Department's Continuity of Operations Plan, disaster recovery procedures, and other records to determine whether the Plan, procedures, and other records included enhanced back-up, back-up location, and recovery of all critical IT systems and data provisions, and whether Department records evidenced recovery test results.

* Performed inquiries of the Chief Information Officer, reviewed Department policies and procedures related to evaluating third-party IT service provider auditor reports, and examined Department records to determine whether the Department timely requested, obtained, and documented reviews of, service auditor reports on the effectiveness of service organization and subservice organization controls established for MatrixCare.

* Performed inquiries of the Chief Information Officer and reviewed Department policies and procedures related to each IT function to determine whether Department policies and procedures appropriately addressed each identified IT function.

* From the population of 183 MatrixCare users and 12 FLAIR users who separated from Department employment during the period July 2015 through January 2017, examined Department records for 20 selected MatrixCare users, including 8 users who also had access to FLAIR, to determine whether IT access privileges were timely deactivated. Additionally, from the population of 292 MatrixCare users during the period July 2015 through January 2017, we examined Department records for 15 selected MatrixCare users to determine whether the access privileges were commensurate with the user's job duties.

* Reviewed applicable laws, rules, and other State guidelines to obtain an understanding of the legal framework governing Department operations.

* Observed, documented, and evaluated the effectiveness of selected Department processes and procedures for:

* Managing IT system access privileges, settlement agreements, fixed capital outlay projects, and financial reconciliations.

* The administration of Department contracts. During the period July 2015 through January 2017, the Department entered into 3,966 contractual agreements totaling $22,745,404.

* The acquisition and management of real property leases in accordance with State law, Department of Management Services rules, and other applicable guidelines. As of February 2017, the Department was responsible for 21 active real property leases.

* Collecting and utilizing individuals' social security numbers in accordance with statutory requirements.

* The administration of tangible personal property in accordance with applicable guidelines. As of June 30, 2016, the Department was responsible for tangible personal property with related acquisition costs totaling $8,653,159.

* The administration of Department travel in accordance with State law and other applicable guidelines. During the period July 2015 through December 2016, Department travel expenditures totaled $593,600.

* Communicated on an interim basis with applicable officials to ensure the timely resolution of issues involving controls and noncompliance.

* Performed various other auditing procedures, including analytical procedures, as necessary, to accomplish the objectives of the audit.

* Prepared and submitted for management response the findings and recommendations that are included in this report and which describe the matters requiring corrective actions. Management's response is included in this report under the heading MANAGEMENT'S RESPONSE.

AUTHORITY

Section 11.45, Florida Statutes, requires that the Auditor General conduct an operational audit of each State agency on a periodic basis. Pursuant to the provisions of Section 11.45, Florida Statutes, I have directed that this report be prepared to present the results of our operational audit.

Sherrill F. Norman, CPA

Auditor General