FISCAL YEAR 2021
State of Georgia
Single Audit Report Part I
Kristina A. Turner | Deputy State Auditor Greg S. Griffin | State Auditor

GREG S. GRIFFIN
STATE AUDITOR
(404) 656-2174

DEPARTMENT OF AUDITS AND ACCOUNTS
270 Washington Street, S.W., Suite 4-101 Atlanta, Georgia 30334-8400

March 24, 2022
The Honorable Brian P. Kemp Governor of Georgia
and Members of the General Assembly Citizens of the State of Georgia
We are pleased to present the State of Georgia's (State) Single Audit Report Part I for the year ended June 30, 2021. Historically, we have presented the results of our audit of the Annual Comprehensive Financial Report (ACFR) within the Single Audit Report as a single report. For Fiscal Year 2021, we are providing this information in two separate reports, as noted below.
Our opinions on the State's financial statements are presented in the State's ACFR, which was issued under separate cover on January 24, 2022. We were not able to obtain sufficient, appropriate audit evidence for balances to provide an opinion on the Unemployment Compensation Fund.
The Single Audit Report Part I contains financial reporting information based on our audit of the State's ACFR for the year ended June 30, 2021. This report includes our Independent Auditor's Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards accompanied by our financial findings, conclusions, and recommendations, and the responses of the respective state organizations.
The Single Audit Report Part II will present the remaining elements required by the Uniform Guidance, our Independent Auditor's Report on Compliance for Each Major Federal Program and on Internal Control Over Compliance Required by the Uniform Guidance. This report will also include additional findings and questioned costs related to federal awards that came to our attention through the Statewide Single Audit. Additionally, the report will contain our report on the Schedule of Expenditures of Federal Awards (SEFA) and related notes required by Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance).
We would like to express our appreciation to all those involved in the preparation and completion of this report. We believe the results of this statewide audit provide valuable information to the State's decision makers and others interested in the activities of the State of Georgia.

Respectfully submitted,

Greg S. Griffin State Auditor

STATE OF GEORGIA TABLE OF CONTENTS YEAR ENDED JUNE 30, 2021

Page No.

Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards................................................. A-1
Financial Statement Findings ............................................................................................. B-1
Corrective Action Plan for Current Year Financial Findings.............................................. C-1
Summary Schedule of Prior Audit Financial Findings ....................................................... D-1

Greg S. Griffin State Auditor

INDEPENDENT AUDITOR'S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND ON COMPLIANCE AND OTHER MATTERS BASED ON AN AUDIT OF FINANCIAL STATEMENTS PERFORMED IN ACCORDANCE WITH GOVERNMENT AUDITING STANDARDS

The Honorable Brian P. Kemp, Governor of Georgia and
Members of the General Assembly of the State of Georgia

We were engaged to audit the financial statements of the governmental activities, business-type activities, aggregate discretely presented component units, each major fund, and aggregate remaining fund information of the State of Georgia (State), as of and for the year ended June 30, 2021, and the related notes to the financial statements, which collectively comprise the State's basic financial statements, and have issued our report thereon dated January 24, 2022. We have issued unmodified opinions for all opinion units, except for the Unemployment Compensation Fund, on which we express no opinion.

As of the date of our audit report, the State was unable to provide sufficient appropriate audit evidence for the balances and financial activity of the receivables and payables of the Unemployment Compensation Fund, and we were unable to obtain sufficient appropriate audit evidence to determine or verify by alternative means whether certain paid claims met eligibility requirements. The State's records do not permit us, nor is it practical to extend or apply other auditing procedures, to obtain sufficient appropriate audit evidence to conclude that the receivable and payable balances and revenues, expenses and related cash flows in the Unemployment Compensation Fund were free of material misstatement. As a result, we did not express an opinion on the Unemployment Compensation Fund.

Our report includes a reference to other auditors who audited the financial statements of the State entities listed below, as described in our report on the State's basic financial statements.

AU Health System, Inc.

Georgia Lottery Corporation

Augusta University Foundation, Inc. and Subsidiaries Georgia Ports Authority

Augusta University Research Institute, Inc.

Georgia Southern University Housing Foundation,

Employees' Retirement System of Georgia

Inc. and Subsidiaries

Georgia Advanced Technology Ventures, Inc.

Georgia State Financing and Investment Commission

and Subsidiaries

Georgia State University Athletic Association, Inc.

Georgia College & State University Foundation, Inc. Georgia State University Foundation, Inc.

and Subsidiaries

Georgia State University Research Foundation, Inc.

Georgia Environmental Finance Authority

Georgia Tech Athletic Association

Georgia Gwinnett College Foundation, Inc.

Georgia Tech Facilities, Inc.

Georgia Health Sciences Foundation, Inc.

Georgia Tech Foundation, Inc.

Georgia Housing and Finance Authority

Georgia Tech Research Corporation

Kennesaw State University Foundation, Inc.

University of North Georgia Real Estate

Medical College of Georgia Foundation, Inc.

Foundation, Inc. and Subsidiaries

270 Washington Street, SW, Suite 4-101 Atlanta, Georgia 30334 | Phone (404) 656-2180

Middle Georgia State University Real Estate Foundation, Inc. and Subsidiaries
Teachers Retirement System of Georgia The University of Georgia Foundation University of Georgia Athletic Association, Inc. University of Georgia Research Foundation, Inc.
and Subsidiaries

UWG Real Estate Foundation, Inc. University System of Georgia Foundation, Inc.
and Affiliates VSU Auxiliary Services Real Estate Foundation,
Inc.

We conducted our audit in accordance with the auditing standards generally accepted in the United States of America and the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States. The other auditors did not audit the financial statements of the State entities listed below in accordance with Government Auditing Standards, and accordingly, this report does not include reporting on internal control over financial reporting or instances of reportable noncompliance associated with those entities.

Georgia Advanced Technology Ventures, Inc.

Georgia State University Foundation, Inc.

and Subsidiaries

Kennesaw State University Foundation, Inc.

Georgia College & State University Foundation, Inc. Medical College of Georgia Foundation, Inc.

and Subsidiaries

Middle Georgia State University Real Estate

Georgia Gwinnett College Foundation, Inc.

Foundation, Inc. and Subsidiaries

Georgia Health Sciences Foundation, Inc.

The University of Georgia Foundation

Georgia Tech Athletic Association

University of Georgia Athletic Association, Inc.

Georgia Tech Facilities, Inc.

University of North Georgia Real Estate

Georgia Tech Foundation, Inc.

Foundation, Inc. and Subsidiaries

Georgia Lottery Corporation

UWG Real Estate Foundation, Inc.

Georgia Southern University Housing Foundation, VSU Auxiliary Services Real Estate Foundation,

Inc. and Subsidiaries

Inc.

Georgia State University Athletic Association, Inc.

This report includes our consideration of the results of other auditors' testing of internal control over financial reporting and compliance and other matters that are reported on separately by those other auditors. However, this report, insofar as it relates to the results of the other auditors, is based solely on the reports of the other auditors.

Internal Control Over Financial Reporting
In planning and performing our audit of the financial statements, we considered the State's internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate in the circumstances for the purpose of expressing our opinions on the basic financial statements, but not for the purpose of expressing an opinion on the effectiveness of the State's internal control. Accordingly, we do not express an opinion on the effectiveness of the State's internal control.

Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies and therefore, material weaknesses or significant deficiencies may exist that have not been identified. However, as described in the accompanying Schedule of Findings and Questioned Costs, we did identify certain deficiencies in internal control that we consider to be material weaknesses and significant deficiencies.

A-2

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. We consider the deficiencies described in the accompanying Schedule of Findings and Questioned Costs in findings 2021-002, 2021-006, and 2021-007 to be material weaknesses.
A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We consider the deficiencies described in the accompanying Schedule of Findings and Questioned Costs in findings 2021-001, 2021-003, 2021-004, 2021-005, 2021-008, 2021-009, 2021010, 2021-011, 2021-012, and 2021-013 to be significant deficiencies.
Compliance and Other Matters
As part of obtaining reasonable assurance about whether the State's financial statements are free from material misstatement, we and other auditors performed tests of its compliance with certain provisions of laws, regulations, contracts and grant agreements, noncompliance with which could have a direct and material effect on the financial statements. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed instances of noncompliance or other matters that are required to be reported under Government Auditing Standards and which are described in the accompanying Schedule of Findings and Questioned Costs in findings 2021-003, 2021-005, 2021-007, 2021-008, 2021-011, and 2021-013.
Additionally, if the scope of our work had been sufficient to enable us to express an opinion on the Unemployment Compensation Fund, other instances of noncompliance or other matters may have been identified and reported herein.
State's Responses to Findings
The State's responses to the findings identified in our audit consist of views of responsible officials and corrective action plans. The views of responsible officials are described in the accompanying Schedule of Findings and Questioned Costs, and the corrective action plans are described in the accompanying Corrective Action Plan for Current Year Findings. The State's responses were not subjected to the auditing procedures applied in the audit of the financial statements and, accordingly, we express no opinion on them.
A-3

Purpose of this Report
The purpose of this report is solely to describe the scope of our testing of internal control and compliance and the results of that testing, and not to provide an opinion on the effectiveness of the State's internal control or on compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards in considering the State's internal control and compliance. Accordingly, this communication is not suitable for any other purpose. Respectfully submitted, Greg S. Griffin State Auditor January 24, 2022
A-4

Financial Statement Findings
This section presents findings related to the financial statements, including any material weaknesses or significant deficiencies in internal control over financial reporting and noncompliance and other matters that are required to be reported in accordance with Government Auditing Standards. Financial statement findings are organized by State entity (entity number).

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
FINANCIAL STATEMENT FINDINGS REPORTED UNDER GOVERNMENT AUDITING STANDARDS

STATE1 ENTITY
414 419 422 440
474 548 927 977 5036

TABLE OF CONTENTS

FINDING NUMBER AND TITLE

PAGE NUMBER

Statewide .............................................................................................................. B-4 2021-001 Improve Controls over Financial Reporting

Department of Education ....................................................................................B-6 2021-002 Strengthen Controls over Financial Reporting
Department of Community Health......................................................................B-9 2021-003 Continue to Strengthen Application Risk Management Program

Office of the Governor........................................................................................ B-12 2021-004 Improve Controls over Financial Reporting

Department of Labor ......................................................................................... B-14 2021-005 Strengthen Logical Access Controls 2021-006 Strengthen Accounting Controls Overall 2021-007 Waste and Abuse Related to Employee Meal Purchases
Department of Revenue .....................................................................................B-28 2021-008 Continue to Strengthen Logical Access Controls
Savannah State University.................................................................................B-32 2021-009 Internal Controls Over Financial Reporting

State Road and Tollway Authority.....................................................................B-34 2021-010 Improve Controls over Financial Reporting 2021-011 Improve Controls over Capital Assets
Georgia Public Telecommunications Commission ............................................ B-41 2021-012 Controls over Capital Assets
Georgia Tech Research Corporation..................................................................B-43 2021-013 Revenue-Sharing Agreement Noncompliance

1The entity number represents the control number that was assigned to each State entity.

B-3

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
STATEWIDE FINDING

2021-001 Improve Controls over Financial Reporting

Internal Control Impact: Compliance Impact:

Significant Deficiency None

Description: The State Accounting Office should improve controls over financial reporting to ensure the accuracy of the State's basic financial statements, including the note disclosures and required supplementary information.

Background Information:
The SAO has continued to provide training on various financial accounting and reporting topics to internal staff and guidance to all State organizations through the issuance of accounting policies and procedures, meeting and training events, and detailed instructions for financial reporting forms. However, the utilization of year-end financial forms to gather information needed to prepare the State's financial statements, combined with other sources of information, and the extent of modification necessary to such information, results in a financial reporting process that continues to be highly complex and manual in nature, and therefore, susceptible to errors.

Criteria:
The SAO is responsible for establishing and maintaining a system of internal controls over the preparation of financial statements in accordance with generally accepted accounting principles (GAAP). The design and operation of the SAO's controls should allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements of the financial statements in a timely manner.

Condition: Our review of the State's financial statements, including the note disclosures, revealed errors that were not detected by the SAO's review process. Some of the more significant items found were as follows:
A proposed audit adjustment in the amount of $3.7 billion was made to correct newly established cash accounts maintained by the Office of the State Treasurer that were misclassified in Pooled Investments with State Treasury.
An entry to recognize the federal funds received from the Coronavirus Relief Fund (CRF) program did not eliminate internal transactions between various state agencies and the Office of the Governor resulting in the inappropriate reporting of accounts receivable and accounts payable in the amount of $437,323,461.

Noncash Activities for the Higher Education Fund in the amount of $154,567,000 were duplicated on the Proprietary Statement of Cash Flows.

B-4

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021 Within the note disclosure associated with Fiduciary Funds Pension and Other
Employee Benefit Trust Funds Administered by the Employees and Teachers Retirement System, the interest rate risk table reflected a misclassification of balances between Mutual Funds Equity and Private Equity. Cause: There are several factors, which contributed to the issues above. Overall, the entire agency has been under stress with additional responsibilities added with the COVID-19 pandemic. The errors identified in the financial statements presented for audit indicate that the SAO's current processes and timeline for compiling that information does not allow sufficient time for analysis and review, which is critical to preventing or detecting and correcting significant reporting errors. Additionally, the SAO experienced a significant amount of turnover over the last year. Effect: Prior to adjusting for the above items, the State's financial information contained significant errors. Weaknesses in the financial statement review process increase the likelihood of untimely detection and correction of errors in the Annual Comprehensive Financial Report (ACFR.) Recommendation: The SAO should strengthen its financial statement preparation process by focusing on implementing detective controls for areas that are highly manual in nature and more susceptible to the risk of a material misstatement. In addition, SAO should continue its efforts to ensure all of its designed controls are followed to detect and correct reporting errors in a timely manner. Views of Responsible Officials: We concur with this finding. As mentioned above, the Fiscal Year 2021 ACFR was challenging due to both the additional responsibilities added with the COVID-19 pandemic and staff turnover. Additionally, the preparation process continues to be highly complex and manual in nature, which is therefore susceptible to errors.
B-5

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021

STATE ENTITY: DEPARTMENT OF EDUCATION

2021-002 Strengthen Controls over Financial Reporting

Internal Control Impact: Compliance Impact:

Material Weakness None

Description: The Department of Education should strengthen controls over financial reporting to ensure the accuracy of the information it prepares for the State's financial statements.

Background Information: State organizations provide information to the State Accounting Office (SAO) to permit the proper accounting and reporting of financial information in the State's Annual Comprehensive Financial Report (ACFR) and Schedule of Expenditures of Federal Awards (SEFA). The SAO has created several financial reporting forms to facilitate this process. State agencies, including the Georgia Department of Education (GaDOE), complete and submit the forms to SAO as part of the annual reporting process.
Criteria: The GaDOE is responsible for maintaining a system of controls over financial reporting in accordance with generally accepted accounting principles (GAAP). The design and operation of the GaDOE's controls should allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements of the financial information in a timely manner. Further, the control structure should enable the GaDOE to provide accurate and timely information to be reported in the State's ACFR.
Condition: Our review of the financial information prepared by the GaDOE revealed several errors in the recording of activity associated with the Elementary and Secondary School Emergency Relief Fund (ESSER) program. The following misstatements were identified and corrected by auditors:
Material audit adjustments to the General Fund, in the amount of $2.3 billion, were required to correct overstatements to accounts receivable, accounts payable, revenue, and expense account balances.
Material audit adjustments totaling $2.3 billion were required to correct the overstatement of expenditures for Assistance Listing Numbers 84.425D and 84.425U as reflected on the SEFA under the ESSER program.
Cause: The GaDOE utilizes a standard methodology for estimating and recording account balances associated with subsequent period subrecipient reimbursement needs. While this methodology results in materially correct account balances for existing programs with typical 12-month periods of performance, the ESSER programs have an extended period of performance and funds are not expended in the same predictable manner that is observed in programs that were in operation prior to the pandemic. Therefore, the calculation used to estimate subsequent

B-6

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
period ESSER activity was not deemed reasonable based upon a review of subsequent period subrecipient reimbursement requests through the end of audit fieldwork.
Effect: Prior to adjustment, the GaDOE's financial information contained material errors. Without effective controls over the financial reporting process, the GaDOE cannot ensure the accuracy of its accounting records and year-end financial submissions. This increases the risk of misstatements in the State's ACFR and SEFA, as well.
Recommendation: The GaDOE should improve controls over financial reporting by incorporating additional oversight, analyses, and reconciliations to aid in the prevention or timely detection and correction of errors in its accounting records and year-end financial submissions. The GaDOE should also evaluate standard methodologies involving estimates to determine if they are appropriate for each new federal program based upon the nature of the program.
Views of Responsible Officials: The Georgia Department of Education (GaDOE) does not concur with this finding. The GaDOE utilizes a standard methodology for estimating and recording account balances associated with subsequent period subrecipient reimbursement to materially correct our account balances. We also have additional internal controls in place during the year-end reporting process to identify and review any account balances which may need to be adjusted outside of this process. During this review, in September 2021, the department noted that we may need to adjust CFDAs 84.425D and 84.425U. This was then discussed with the Georgia Department of Audits (GDOAA) and State Accounting Office (SAO.) During these discussions it was determined the department would apply the standard methodology and not make a special adjustment. The GaDOE was also not made aware of any issues or concerns with these account balances until after the auditors completed field work in late December 2021. At this time, it was discussed and agreed that CFDAs 84.425D and 84.425U would be adjusted to the actual cash draws on the grants as of 12/20/2021. The department then adjusted the financial statements and requested the GDOAA adjust the Schedule of Expenditures of Federal Awards (SEFA.) The adjustment methodology applied would not have yielded the same account balances in September of 2021. Any adjustment made would have had to be adjusted again in late December 2021. Furthermore, the GaDOE was not made aware of this finding until March 9, 2022. Given these circumstances the GaDOE has determined our internal controls are not materially weak and a corrective action plan is not warranted.
Auditor's Concluding Remarks: Auditors met with a representative from the GaDOE on September 7, 2021 to discuss the activity that should be reported on the SEFA and ACFR related to the ESSER programs. Auditors explained that the GaDOE should review subsequent period reimbursement requests received from subrecipients when determining the amount to be reported on the SEFA. In a September 8, 2021 email, the SAO also emphasized that the GaDOE should not record program activity associated with subrecipients that had not met all eligibility requirements by yearend. However, the GaDOE chose to apply the standard methodology utilized to estimate account balances associated with subsequent period subrecipient reimbursement needs and did not compare this estimate to actual activity occurring after year-end or consider whether subrecipients had met appropriate eligibility requirements prior to year-end.
B-7

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021 Additionally, a material weakness is defined as a "deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis." In this case, material misstatements were not prevented, or detected and corrected, in the balances submitted to SAO for inclusion in the ACFR and the SEFA; therefore, this deficiency would be considered a material weakness in internal control. Further, as noted in the Criteria above, it is the responsibility of the GaDOE to submit materially correct information for inclusion in the State's ACFR and SEFA. We reaffirm our finding and will review the status of the finding during our next audit.
B-8

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
STATE ENTITY: DEPARTMENT OF COMMUNITY HEALTH

2021-003 Continue to Strengthen Application Risk Management Program

Internal Control Impact: Compliance Impact: Repeat of Prior Year Finding:

Significant Deficiency Nonmaterial Noncompliance 2020-004, 2019-006, 2018-006

Description: The Department of Community Health should continue to strengthen controls over its application risk management program.
Background Information: The Department of Community Health (DCH) relies extensively on automated data processing controls contained within computer systems and business processes of various third-party vendors to process payment claims for the Medicaid program. Internal controls over services provided by vendors and their related computer systems and business processes are essential for ensuring the security, confidentiality, availability, reliability, and integrity of Medicaid payment data.
As part of our fiscal year 2021 audit, we followed up on the DCH's efforts to implement corrective action plans in response to the prior year finding in which we reported the DCH did not have adequate controls in place over its application risk management program related to the claims and payment processing of Medicaid benefits. Although the DCH has not fully implemented all its corrective action plans, we noted that ongoing efforts are being made.

Criteria: Pursuant to the Official Code of Georgia Annotated (OCGA) 50-25-4(a)(20), the Georgia Technology Authority (GTA) is to establish technology security policies, standards, and services to be used by all agencies. The DCH is responsible for establishing and maintaining an information technology (IT) risk management program as required by the following GTA policies and standards related to assessing and managing IT risks:
Information Security Risk Management Policy (PS-08-031) Each agency shall institute an organization-wide risk management approach to information security that assesses the risks (including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction) to information and systems.
Risk Management Framework Standard (SS-08-041) To adopt and implement a riskbased approach to information security and shall use the National Institute of Standards and Technology (NIST) risk management framework.
Security Controls Reviews and Assessments Policy (PS-08.029.01) To establish requirements for agencies to assess security controls for IT systems.

B-9

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
Outsourced IT Services and Third-Party Interconnections Standard (SS-08-044.01) To establish requirements for agencies to ensure adherence to established security requirements by third-party IT service providers and/or interconnections.
Information Security Control Policy (PS-17-001) To improve how security controls are managed within the State's shared-service environment and third-party service providers.
Information Security Control Standard (SS-17-001) Agencies, Third-Party Service Providers, and Service Integrators operating in a shared-service environment are responsible for ensuring that applicable NIST 800-53 (rev. 4) security controls are implemented and operated effectively.
Further, the DCH is required to conduct periodic risk analyses to ensure that appropriate, costeffective safeguards are incorporated into new and existing systems when significant system changes occur. The DCH is also responsible for establishing and maintaining a system security plan and performing biennial system reviews involved in the administration of U.S. Department of Health and Human Services programs (Title 45 Code of Federal Regulations (CFR) section 95.621).
An effective risk management program should also include elements listed below in order to reduce the risk of error, misuse, or fraud:
1. Policies and procedures designed to address security of the physical location of resources, equipment, software and data, telecommunications, and personnel;
2. Disaster recovery and business contingency plans; 3. Emergency preparedness; and 4. Review and monitoring of complimentary user entity controls as defined by service
organizations.
Additionally, as a recipient of federal awards, the DCH is required to establish and maintain effective internal control over federal awards that provides reasonable assurance of managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards pursuant to Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 200.303 Internal Controls.
Condition: Our review of the DCH's risk management program related to automated data processing systems revealed the deficiencies described below.
Risk Analysis: We noted risk is assessed for the Medicaid Management Information System (MMIS); however, a formal risk analysis process has not yet been established and does not include all data processing systems for the Medicaid program.
System Security Reviews (SSRs): While the DCH stated that System and Organizational Controls (SOC) Type II reports and the related complementary user entity controls (CUECs) are obtained and reviewed on an annual
B-10

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
basis, there was no documented evidence that these reviews were taking place. In addition, we noted that assessments to determine whether controls are in place, operating effectively, and successfully mitigating the DCH's risks were not being performed.
Systems Security Plans (SSPs): The DCH has formally documented a SSP for one of its automated data processing systems. Additionally, the DCH has drafted a SSP for the system used to process claims and payments of Medicaid benefits; however, the draft plan has not been approved or implemented
Policies and Procedures: We noted that 16 out of 18 security and privacy policies and procedures requested for review had not been formally developed. Furthermore, the annual review process associated with the two security and privacy policies that were formalized was not performed within the defined frequency.
Cause: The DCH did not have sufficient resources needed in order to address all noted deficiencies within the current fiscal year.
Effect: The lack of a formal IT risk management program results in noncompliance with the applicable state and federal requirements and exposes the DCH to unnecessary risk of error, misuse, fraud, or loss of data from both internal and external forces which could impact the integrity and reliability of data used for the claims and payment processing of Medicaid benefits.
Recommendation: The DCH should continue to allocate necessary resources to implement a formal risk management program to allow management to gain reasonable assurance the DCH will achieve its agency and program objectives and comply with operational, financial reporting, and compliance requirements. An effective risk management program should, at a minimum, address Risk Analysis, SSRs, SSPs, and Security and Privacy Policies and Procedures.
The DCH should also review and assess SOC reports and the CUECs expected to be in place at the DCH and develop a process for tracking the results of these reviews.
Views of Responsible Officials: We concur with the finding as it was only partially resolved.
B-11

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
STATE ENTITY: OFFICE OF THE GOVERNOR

2021-004 Improve Controls over Financial Reporting

Internal Control Impact: Compliance Impact:

Significant Deficiency None

Description: The Governor's Office of Planning and Budget should improve controls over financial reporting to ensure the accuracy of the information it prepares for the State's financial statements and note disclosures.

Background Information: State organizations provide information to the State Accounting Office (SAO) to permit the proper accounting and reporting of financial information in the State's Annual Comprehensive Financial Report (ACFR) and Schedule of Expenditures of Federal Awards (SEFA). The SAO has created several financial reporting forms to facilitate this process. State agencies, including the Governor's Office of Planning and Budget (OPB), complete and submit the forms to SAO as part of the annual reporting process.
Criteria: The OPB is responsible for establishing and maintaining a system of internal controls over financial reporting in accordance with generally accepted accounting principles (GAAP). The design and operation of the OPB's controls should allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements of the financial information in a timely manner.
Condition: Our review of the financial information prepared by the OPB revealed a significant error. Cash and accounts payable activity associated with the Coronavirus State and Local Fiscal Recovery Fund (SLFRF) program was duplicated, which resulted in the overstatement of cash and accounts payable balances in the amount of $430,913,793 for the General Fund.

Cause: The duplicate accounting entries were not identified during the reconciliation process due to oversight.

Effect: Prior to adjustment, the OPB's financial information contained a significant error. Without effective controls over financial reporting and the various reconciliation processes, the OPB cannot ensure the accuracy of its accounting records and year-end financial submissions. This increases the risk of misstatements in the State's ACFR, as well.
Recommendation: The OPB should improve controls over financial reporting to ensure the financial information submitted to SAO for inclusion in the ACFR is accurate. Such controls should be designed to address new, unusual, or complex transactions and account balances.

B-12

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
Views of Responsible Officials: We concur with this finding. The financial unit within the Administration Division of the Governor's Office of Planning and Budget is the area responsible for financial reporting. In entering year end transactions as part of the closeout process, the transfer of funds from the Office of Planning and Budget to the Office of the State Treasurer was correctly entered into the TeamWorks Financial Management System to show a debit to the Office of Planning and Budget's cash accounts during FY 2021. However, TeamWorks incorrectly attributed the transaction to FY 2022 as there were multiple accounting periods open simultaneously in the system during close out, resulting in the overstatement of cash balances in FY 2021. While, both OPB bank and treasury account balances were correct when examined through regular reconciliation and reporting of the treasury account balances, OPB failed to identify this error through the standard monthly bank reconciliation process due to a backlog of completing monthly reconciliation processes in a timely manner. The misstatement was the result of a single entry and system error; however, no funds were unaccounted for and the misstatement was corrected through an additional post closing adjustment upon discovery and prior to the issuance of any state financial reports. During FY 2021, the financial unit was faced with additional challenges which affected the timeliness of routine reconciliation and review processes including staff shortages due to medical leave which resulted in other team members picking up additional duties and an overall increase in workload, particularly in financial transactions and procurements, within the agency and attached agencies as a result of pandemic response and expansion of OPB. The Division has prioritized reviewing the remaining backlog of reconciliations and expects to complete those outstanding reconciliations as of the close of the March 2022 accounting period.
B-13

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
STATE ENTITY: DEPARTMENT OF LABOR

2021-005 Strengthen Logical Access Controls

Internal Control Impact: Compliance Impact: Repeat of Prior Year Finding:

Significant Deficiency Nonmaterial Noncompliance 2020-007

Description: The Georgia Department of Labor should strengthen logical access controls over the unemployment insurance system.
Background Information: The Department of Labor (DOL) relies extensively on its unemployment insurance system (the system) to collect employment insurance taxes and process unemployment benefits for the State. Controls over this system are essential for the reliability and integrity of employment insurance tax and unemployment benefit data from manipulation, corruption, or loss.
As part of our fiscal year 2021 audit, we followed up on the DOL's efforts to implement corrective action plan in response to the prior year finding in which we reported the DOL did not have adequate logical access controls in place over its unemployment insurance system. Although the DOL did not implement its corrective action plan during the fiscal year 2021 audit period, they did begin to address the deficiencies noted in the prior year finding.
Criteria: The DOL is responsible for the effective operation of the system and related control activities. This includes information technology (IT) general controls that ensure logical access is assigned based on job roles and responsibilities, along with enforcing segregation of incompatible duties. It also includes the implementation of policies and procedures, which are important in establishing processes for managing and monitoring user access, changes made to user access roles, and defining segregation of duties rules that govern the assignment of access rights to specific roles.
Pursuant to the Official Code of Georgia Annotated (OCGA) 50-25-4(a)(20), the Georgia Technology Authority (GTA) is to establish technology security policies, standards, and services to be used by all agencies. The DOL is responsible for adhering to the technology security policies and standards which include:
Access Control Policy (PS-08-009) - Access to State information assets is to be controlled and monitored to protect from unauthorized access and disclosure.
Authorization and Access Management Standard (SS-08-010) - Requires periodic reviews of access control lists and logs to validate the appropriateness of user accounts and use of access privileges. Access control measures are critical to ensuring users only have access to the information for which they are authorized and need to perform their official duties.

B-14

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
Additionally, as a recipient of federal awards, the DOL is required to establish and maintain effective internal control over federal awards that provides reasonable assurance of managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards pursuant to Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Section 200.303 Internal Controls.
Condition: We noted the DOL did not perform the annual user access and role reviews for the system during the fiscal period 2021 under review.
In addition, auditors performed a follow-up review of the 17 system users identified as having inappropriate user access roles that were not required for their job duties and responsibilities during the fiscal year 2020 audit. The following deficiencies were noted with 16 user accounts that continued to have inappropriate access during fiscal year 2021:
While one or more unnecessary permissions were corrected for nine users, these users still had inappropriate permissions associated with their roles that were not required for their job responsibilities.
Seven users continued to have the same inappropriate access and permissions associated with their roles.
The details related to the deficiencies have been provided to the DOL management and shall not be considered a public record in accordance with OCGA 50-6-9(b).
Cause: The DOL continued to experience a high demand for unemployment benefit payments during the year under review and, therefore, did not have the resources to perform the procedures established for user access and role reviews for the system until November 2021, after the fiscal year 2021 audit period. Furthermore, the DOL was unable to implement the prior year corrective action plan to collaborate with business units to design more specific roles to align more closely with each user's role and daily tasks as appropriate.
Effect: The deficiencies in logical access result in noncompliance with the GTA technology security policy and standards and the Uniform Guidance and increases the risk of unauthorized access to the system and possible manipulation or loss of data.
Recommendation: The DOL should continue to strengthen its logical access controls over its system by following the established user access review process and enhancing the role design review process to include management input, along with the business owners, to ensure roles contain the appropriate and anticipated permission levels. The DOL should consider designing more specific roles to align more closely with each user's role and daily tasks.
B-15

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
Views of Responsible Officials: The Department concurs with this finding:
a) The Department agrees that the objective of the logical controls process is to avoid the unnecessary risk of unauthorized access to the unemployment insurance and possible manipulation or loss of data.
b) During the FY20 and FY21 periods, the agency was operating under exceptional circumstances due to the COVID-19 pandemic. The GDOL was faced with multiple priorities while attempting to process the unprecedented volume of unemployment benefits claims established through regular UI, as well as the five new federal programs enacted by congress.
c) During the pandemic, in order to help provide timely payments to eligible claimants, many users within the agency were granted additional access, commensurate to their additional responsibilities, to help process the overwhelming volume of claims. A user's "normal" role may not require additional transactional access, however the "expanded" roles did require it in order to work to process claims in a timely manner. Everyone at the agency had expanded roles and responsibilities in the "all-hands-on-deck" approach that was necessary and required by the agency in order to process the overwhelming volume of more than five million claims received during this unprecedented time.
d) GDOL Information Technology instituted a process in FY16 for performing annual global access monitoring, to insure users only have access to the information for which they are authorized and need to perform their official duties, as well as to serve to further mitigate any risk of unauthorized access to systems within the Department network. This process has subsequently been executed annually from FY16 through FY19 as part of our standard operating procedure. The Information Technology division enhanced the annual transaction access review in FY19 to include a biennial role design review with the appropriate business units to insure transactions assigned to the role continue to be appropriate based on job responsibilities and business functions.
B-16

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
STATE ENTITY: DEPARTMENT OF LABOR (continued)

2021-006 Strengthen Accounting Controls Overall

Internal Control Impact: Compliance Impact: Repeat of Prior Year Finding:

Material Weakness None 2020-008, 2020-009

Description: The Georgia Department of Labor should improve controls over financial reporting to ensure the financial information submitted to the State Accounting Office for inclusion in the State's financial statements is timely, accurate and complete.

Background Information: The Georgia Department of Labor (DOL) is responsible for the administration and monitoring of Georgia's unemployment insurance (UI) programs, including the collection of unemployment premiums from employers, the payment of unemployment insurance benefits to claimants, and conducting audits and investigations of premiums and benefits to ensure they are properly paid. The DOL's Financial Services Section is responsible for all of the DOL's financial reporting, including the accurate and timely entry and approval of financial transactions.
Annually, the State of Georgia issues an Annual Comprehensive Financial Report (ACFR) designed to provide a general overview of the State's finances for all of the State's citizens, taxpayers, customers, investors, and creditors. The report seeks to demonstrate the State's accountability for the money it receives. The DOL is part of the primary government as presented in the ACFR. While the SAO has been tasked with consolidating the financial information from organizations within the reporting entity, the DOL must do its part to ensure the information that is reported to SAO to include in the ACFR is complete, accurate, appropriately presented and provides adequate disclosure of key financial issues.
The purpose of our audit work was to determine whether the DOL had adequate internal controls in place during fiscal year 2021 over collecting UI taxes, adjudicating claims and processing of UI benefit payments, and whether it recorded the UI financial transactions accurately. Further, testing procedures were performed over material account balances, including Accounts Receivables, Benefits Payable, Cash & Cash Equivalents, UI Tax Revenue, and UI Benefit Payments, to determine whether the DOL accurately reported its financial information to the SAO for inclusion in the ACFR.
Criteria: The DOL is responsible for maintaining a system of controls over financial reporting in accordance with generally accepted accounting principles (GAAP). The design and operation of the DOL's controls should allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements of the financial statements in a timely manner. Further, the control structure should enable the DOL to provide accurate and timely information to be reported in the State's ACFR and Schedule of Expenditures of Federal Awards (SEFA).

B-17

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
Proprietary Fund financial statements are reported using the economic resources measurement focus and the accrual basis of accounting. Under the accrual basis of accounting, revenues are recorded when earned and expenses are recorded when a liability is incurred, regardless of the timing of cash flows. Federal financial assistance is considered earned in the fiscal year in which eligibility requirements imposed by the grantor have been met. Specifically, at year-end, all benefit claims incurred by the DOL during the fiscal year but paid subsequent to fiscal year-end should be recorded in the current fiscal year as an expense and payable. A corresponding federal revenue and receivable should also be recorded in the same amount for the associated federal financial assistance.
Condition: During our fiscal year 2021 audit, we identified material weaknesses in internal control relating to the recording and reporting of UI benefit payments. These deficiencies resulted in errors and omissions in the DOL's financial reporting for inclusion in the ACFR. Of particular importance, we found that the DOL failed to consider the impact of the COVID-19 pandemic when recording transactions throughout the year and when performing its fiscal year-end financial reporting.
The specific issues that we found are as follows:
Lack of controls over the payment of benefits. Our audit of the Unemployment Compensation Fund (UCF) included a review of benefit payments related to regular UI and CARES Act UI programs. We identified 133 State Extended Benefit (SEB) payments totaling $27,086 that exceeded the maximum payment amount, 25 instances of duplicate payments totaling $8,283 that affected both regular UI and CARES Act UI benefits, and 3,575 instances where a claimant was paid benefit amounts from two programs for the same weeks claim, which resulted in identified overpayments of $1,024,974. In total, these issues resulted in $1,060,343 of identified overpayments. Auditors provided full details of these results to the DOL to confirm our observations and requested further information and confirmation of their validity. As of the end of fieldwork, no additional details regarding the nature, extent or disposition of the issues were provided to the auditors.
DOL did not record activity related to uncollected overpayments. The DOL operates primarily on a cash basis throughout the fiscal year. As such, the DOL must make year-end adjustments to convert its financial information to the accrual basis of accounting. However, the DOL did not record receivable amounts or related payables associated with identified overpayments. As this was a repeat issue from the prior year, we requested a reconciliation of overpayment activity, including related allowance details, to determine a financial statement adjustment amount. While this information was requested in August 2021, we were informed at the end of fieldwork that this request was still in progress and required significant IT resources to complete.
Further, the DOL did not provide any documentation to support the existence of a methodology for determining an allowance for doubtful accounts associated with the uncollected overpayments.
Inadequate controls over financial reporting related to the SEFA. The DOL incorrectly reported various amounts on the SEFA as follows:
Expenditures totaling $1.6 billion that were reported on the prior year SEFA were also duplicated and reported on the current year SEFA.
B-18

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
Expenditures in the amount of $134 million were not separately identified as COVID-19 related award expenditures under Assistance Listing Number (ALN) 17.225, Unemployment Insurance.
Expenditures in the amount of $250,844 were omitted from the ALN 17.277, WIOA National Dislocated Worker Grants/WIA National Emergency Grants, balance reported.
COVID-19 related expenditures totaling $114 million were omitted from the ALN 17.225 amount reported.
Expenditures for several smaller, non-COVID related programs, which totaled $12 million, were omitted from the ALN 17.225 amount reported.
Inadequate controls over statewide reporting requirements. The SAO actively engaged with the DOL throughout the fiscal year working to set up more targeted deadlines for submitting financial information for the ACFR and following up on identified obstacles. Even with these efforts, the DOL did not meet the agreed upon deadlines and created additional work and delays for the SAO as they compiled the financial statements of the State. Further, the DOL consistently provided requested documentation to the Department of Audits & Accounts (DOAA) more than two weeks after the agreed upon due date or did not provide the requested information.
Cause: While the DOL was unable to provide a cause for the payments that exceeded the maximum payment amounts, the DOL indicated that they were aware of the issues associated with duplicate payments and responded that the errors noted with multiple program payments during the same week were due to a known system error.
The DOL did not have established procedures to record overpayment receivables, net of applicable allowance for doubtful accounts, in the financial statements.
Additionally, as of June 30, 2021, the DOL had not adjudicated all claims that had received UI benefits during fiscal years 2020 and 2021, and therefore, could not provide an estimate of the amount of UI overpayments it had made due to error or fraud as of fiscal year-end. Further, the DOL had not performed its normal/routine processes to identify potential overpayments for any fiscal year 2021 CARES Act UI payments.
The DOL did not have sufficient review procedures to ensure accurate reporting of expenditures of federal awards on the SEFA or for other reporting required by the federal program guidance.
The DOL lacked sufficient communication between the UI program staff, IT staff, and accounting staff to consider the impacts of decisions made for the UI program on the DOL's accounting records and, ultimately, the State's financial statements. Despite consistent collaboration between the SAO and the DOL, there continued to be a lack of urgency and priority set in meeting the deadlines agreed to with the SAO and DOAA. In addition, given the lack of available management information, IT resources were often necessary to develop information to respond to auditor requests, which depending on the complexity of the matter, could take four to six weeks to deliver.
Because financial accounting and reporting standards are constantly evolving and have become more complex in recent years, it has become more difficult for staff who function in a split
B-19

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
operations and financial reporting capacity to keep up-to-date on current standards. The DOL's lack of staff with familiarity of financial reporting requirements contributed to the numerous issues encountered during the audit, as well.
Effect: Overall, the DOL's records did not permit the auditors to obtain sufficient, appropriate audit evidence to conclude that the receivable and payable balances reported in the UCF within the ACFR, as well as the expenditure amounts reported on the SEFA, as of June 30, 2021, were free of material misstatement. Further, due to the uncertainty surrounding the balances as a result of the significant number and amount of unadjudicated cases that were outstanding at fiscal yearend, we are disclaiming the State's fiscal year 2021 financial statements related to the UCF.
Strong financial accounting internal controls are necessary to ensure that UI balances are accurate; free of material misstatement; supported by sufficient, appropriate evidence; and reported accurately on the State's financial statements. Because the UI Program and its related activities are material to the State's financial statements, errors related to the program can negatively affect the auditor's opinion on the State's financial statements, as they did for fiscal year 2021.
Additionally, the long-term implications of modified opinions can affect the State's borrowing ability, its bond rating, and impact other fiscal responsibilities.
Recommendation: The DOL should improve internal controls over accounting for UI benefit payments by:
Fully documenting known system errors as they are found to be able to provide detail on the scope and impact to the UI program and allow program management and the financial division the ability to address how the errors could have an impact on both the program and financial reporting.
Establishing a timeframe for resolving the backlog of unadjudicated claims and establishing overpayments for any benefits that were paid in error or due to fraud.
Developing sufficient documentation or audit trails to follow the life cycle of an overpayment, from identification to collection or write-off.
Developing and implementing an adequate communication process between its UI Program staff, IT staff, and accounting staff to consider the impact of program staff decisions on the DOL's accounting records and the State's financial statements, and to ensure that transactions are properly recorded.
Strengthen policies and procedures over the year-end reconciliation and review of financial statement balances to help ensure the balances are recorded accurately and financial information is reported to the SAO in a timely, complete, and accurate manner for compilation of the State's ACFR.
The DOL's Financial Services Section should consider creating a dedicated financial reporting resource with appropriate knowledge and experience to assist with the accounting and financial reporting functions throughout the various divisions, including
B-20

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
researching accounting issues, educating staff, coordinating with SAO, and preparing required year-end financial information for GAAP reporting.
Views of Responsible Officials: We concur with this finding with the following comments.
Agency responses are limited due to the greatly abbreviated response time authorized.
Lack of controls over the payment of benefits.
CAP After the implementation of the State Extended Benefits program there were two system corrections that needed to be made:
(1) For every payment system, there is an edit that ensures that payments do not exceed the established Weekly Benefit Amount for a claimant. This edit was erroneously omitted in the SEB payment system. This was corrected upon discovery on April 22, 2021.
(2) For every payment system, there is an edit that ensures that payments are not made on the same week ending date as payments on other systems. This edit was erroneously omitted in the PEUC payment system at the implementation of the State Extended Benefits program. This was corrected upon discovery on February 18, 2021.
Overpayments have been established on the 133 cases where the SEB weekly benefit amount was exceeded and the 25 instances of duplicate payments. An effort is being coordinated with the Information Technology Division to establish systemgenerated overpayments for the 3,575 instances where a claimant was paid benefit amounts from two programs for the same weeks requested. This will be completed by the end of the fiscal year June 30, 2022.
Activity related to uncollected overpayments
A methodology for determining an allowance for doubtful accounts associated with uncollected overpayments was developed and transmitted to DOAA before this finding was received.
Corrective Action Plan (CAP) The submitted methodology will be utilized to provide an auditable estimate for the allowance for doubtful accounts associated with uncollected overpayments.
Inadequate controls over financial reporting related to the SEFA
The SEFA has been completed and submitted to DOAA and SAO timely each fiscal year. The FY 2021 SEFA was submitted by the original due date in July. The volume of activity in the Proprietary Fund (State Unemployment Insurance Trust Fund) was exponentially higher in FY2021 than every year since the inception of GDOL combined. All reconciliations for the proprietary fund had not been completed by the due date and some realignments were required in the mapping of funding streams. Adjustments were made as the need presented itself and the document was resubmitted with corrections made. There were also some items that DOAA and SAO were working to agree on that required mutual agreement on how to record.
B-21

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
The modifications to the report could have been less burdensome if the SEFA due date was closer to the ACFR data deadline. There is also the possibility that the SEFA could be submitted in August as currently required with Budget Fund activity only and then resubmitted with Proprietary data added when fully reconciled when ACFR information is due. The ACFR due date is in late September because the second quarter UI tax due date is July 31st each year and the tax processing data is not completed until early September each year.
CAP DOL proposes that the SEFA be due later in August for the Budget Fund only and due in late September for the Proprietary UI Fund when the ACFR is normally due. This timing will allow GDOL to provide DOAA and SAO with a SEFA that reconciles with the ACFR.
Inadequate controls over statewide reporting requirements
GDOL remains committed to working with DOAA and SAO to provide accurate fiscal reporting. GDOL spent significant manhours with DOAA in instructing them in the complex processes of UI Claims. Perhaps the hours may have served the agency better had it been invested in analytics and supporting reporting activities.
In terms of the audit issued opinion on the State's financials, perhaps the initial (FY2020) modified opinion may have been a bit premature. The first federal program payment made by GDOL was 4/13/2020. A second federal program had initial benefits paid 4/27/2020 and a third did not have a first payment until 6/11/2020. If an overpayment was established from either of these programs by fiscal year end (June 30, 2020), it would have not aged for any period long enough to be deemed `uncollectible' unless the claimant died or bankruptcy was declared. A bankruptcy judgment would be unlikely during a period that most judiciary systems were closed. Even if the courts were open with a full schedule, the time frame to secure a bankruptcy judgement could not be met in the ten weeks before FY20 fiscal yearend that GDOL issued its first federal payment. USDOL best practices suggest reporting an overpayment receivable as doubtful when inactivity extends more than 450 days. At June 30, 2020, just ten weeks had elapsed from the initial federal benefits paid by Labor. GDOL paid federal program benefits during the Great Recession and the dotcom crash. During neither period did DOAA require identified federal overpayments to be reported on the state financial reports and the state never had an obligation to repay the feds for any such overpayment. No federal benefit payment is made from the State UITF, creating no liability to the proprietary fund. Audits issued a modified opinion in FY2020. Looking back, it is reasonable to at least consider that this opinion may have been a rush to judgement for FY20. To this end, any resulting consequence to the State's forward ability to borrow is shared by the opining agency resolving that this distinction was appropriate at that juncture.
CAP GDOL remains fully committed to providing complete information for the statewide reporting. Accounting staff will submit data to DOAA after Information Technology has provided a complete file on UI program identified overpayments as of the end of the fiscal year. The data will include overpayment balances by category along with estimates for an uncollectible allowance.
Auditor's Concluding Remarks: The DOL states that a methodology for determining an allowable for doubtful accounts associated with uncollected overpayments was developed and transmitted to the DOAA;
B-22

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021 however, this information was transmitted to the DOAA in March 2022, which was after the issuance of the State's ACFR for fiscal year 2021. In addition, the DOL indicates that the early SEFA deadline resulted in the errors noted by auditors. The webportal application utilized to submit agency SEFA information was made available starting on July 19, 2021. While the SAO requested that agencies submit SEFA information by August 20, 2021, the SAO allowed the agencies experiencing delays associated with pandemic funding to request a submission deadline extension. However, the DOL submitted their initial SEFA information on the webportal on August 18, 2021. This submission did not contain expenditures for ALN 17.277 which were available to report at that time. In addition, while the ACFR due date was in September 2021, the DOL continued to make adjustments to financial statement information until January 2022. Further, the DOAA made a final SEFA adjustment to the webportal on February 4, 2022, after verifying the needed adjustments with SAO and DOL based upon adjustments made to the ACFR. The DOL should work with the SAO to determine if an extension of various reporting deadlines would facilitate more accurate reporting in future fiscal years. Given this clarification and the information reflected in the finding's condition, we reaffirm our finding and will review the status of the DOL's corrective actions during our next audit.
B-23

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
STATE ENTITY: DEPARTMENT OF LABOR (continued)

2021-007 Waste and Abuse Related to Employee Meal Purchases

Internal Control Impact: Compliance Impact:

Material Weakness Material Noncompliance

Description: The Georgia Department of Labor did not follow State policies and purchased items that constituted waste and abuse.
Background Information: On September 30, 2021, the Georgia Department of Administrative Services (DOAS) issued a report of the results of its limited scope audit of purchasing card (p-card) transactions of the Georgia Department of Labor (DOL) from March 1, 2020 through February 28, 2021. The audit was related to food purchases and was performed to determine compliance with section IX.B.6 ("Food or Meals") of the Statewide Purchasing Card Policy (P-card Policy) which, incorporates the State Accounting Office's Group Meal Policy (SAO Group Meal Policy) and Statewide Travel Policy.
On October 4, 2021, the Georgia Office of the State Inspector General (OIG) issued a letter addressed to Governor Brian Kemp detailing the results of its review of the expenditures. The letter details the OIG's findings of whether the DOL's meal purchases violate the Georgia Constitution and various state administrative rules, specifically the DOAS P-card Policy and the SAO Group Meal Policy, as well as the OIG's opinion of whether these expenditures constitute general acts of waste.

Criteria: Government Auditing Standards (Yellow Book) define waste and abuse as follows:
Waste is the act of using or expending resources carelessly, extravagantly, or to no purpose. Importantly, waste can include activities that do not include abuse and does not necessarily involve a violation of law. Rather, waste relates primarily to mismanagement, inappropriate actions, and inadequate oversight.
Examples of waste given are:
a. Making travel choices that are contrary to existing travel policies or are unnecessarily extravagant or expensive.
b. Making procurement or vendor selections that are contrary to existing policies or are unnecessarily extravagant or expensive.
Abuse is behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances, but excludes fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate.
B-24

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
Examples of abuse given are: a. Creating unneeded overtime.
b. Requesting staff to perform personal errands or work tasks for a supervisor or manager.
c. Misusing the official's position for personal gain (including actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an official's personal financial interests or those of an immediate or close family member; a general partner; an organization for which the official serves as an officer, director, trustee, or employee; or an organization with which the official is negotiating concerning future employment).
Condition: During our engagement, we obtained copies of the reports issued by both the DOAS and the OIG. The Yellow Book requires that we consider the reporting of matters of waste and abuse, if we become aware of them. We believe these matters warrant such reporting.
The DOAS audit determined that during the period under review, March 1, 2020, through February 28, 2021, the DOL spent $959,175 on p-card food purchases. The DOL spent an additional $153,627 from March 1, 2021, until June 11, 2021, for a total of $1.1 million dollars. This amount was spent on employees who were fed daily for approximately 285 days. The audit details noncompliance with the Statewide P-card Policy, SAO Group Meal Policy, and Statewide Travel Policy. In addition, the audit reports instances of insufficient documentation.
The OIG examined over $1.1 million spent to purchase meals for each of the DOL's employees for a nearly 15-month period. The purchases continued without interruption until June 11, 2021, when the DOAS suspended the DOL's ability to buy meals using a p-card.
The review notes an opinion of the OIG that the expenditures violated Article III, Section VI, Paragraph VI (a) of the Georgia Constitution of 1983, commonly known as the "gratuities clause." Additionally, the OIG found that based on its review of expenditures, the DOL violated both the State P-card and Group Meal Policies.
The OIG defines waste as "a reckless or grossly negligent act that causes state funds to be spent in a manner that was not authorized or represents significant inefficiency and needless expense." The OIG reported its belief that the "vast majority of the $1.1 million spent by DOL for group meals is appropriately categorized as waste."
We believe that the violations of the State Constitution and policies cited in the reviews meet the Yellow Book definition of waste. We also believe that the Yellow Book definition of abuse has been met as the purchase of employee meals continued for months after the initial stages of the COVID-19 pandemic and despite scrutiny of the practice by the DOAS when it began its formal audit on March 22, 2021. Further, we do not believe that a prudent person would consider this to be a reasonable and necessary business practice.
Cause: The DOL management determined the costs were reasonable in the interest of public safety for employees, as well as to meet the critical need to maintain a desirable level of productivity with
B-25

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
an unprecedented demand for the DOL services, to use funds to provide lunches on the premises for employee health and welfare during both a pandemic and an unemployment crisis.
Effect: The business practice of providing meals to all employees throughout the state adopted by the DOL constitutes waste and abuse as defined by Government Auditing Standards.
Recommendation: The DOL should ensure that all current and future business practices follow the established policies and procedures of the State of Georgia.
Views of Responsible Officials: GDOL does not concur:
The condition statements presented in the OIG finding alludes to providing of lunch (Process) to GDOL employees as being a breach of the Georgia constitution and references the `gratuities clause'. The DOAS Audit cites no such finding nor reference to any gratuitous purpose. Cases cited in the OIG document also fail to support the alleged violation as there was a clear benefit to the state. Lunch was provided to our staff to curtail the risk of exposure to an international pandemic as a safety measure and a productivity incentive. Would a gratuitous purpose be noted in a situation where non-agency personnel requested and received the use of rent-free office space and free parking in fee based parking lots?
We must note that the agency was grossly understaffed after years of reduced state and federal appropriations of administrative dollars and no assistance was offered by any state agency. While many employees were able to work from the safety of their homes, GDOL had to meet that challenge head on and provide critically needed financial assistance to eligible, suffering fellow Georgians. GDOL had the critical responsibility to serve customers filing claims at a rate and volume never seen in history.
Providing lunch and asking staff to remain at their desks allowed us to realize more than 230,000 additional work hours to process UI claims and interact with Georgians in desperate need of our services. The increase in labor hours is equivalent to approximately 90 additional full-time, experienced staff with an estimated savings of eight (8) million dollars in administrative costs. GDOL staffing during the period consisted of 1,100 employees, over 60 security guards and more than 400 contractors. We invested an average of one thousand dollars per employee over a 15-month period to achieve and sustain an exceptionally high operational capacity. This translates to $67 per month per employee invested to process six (6) million UI claims and deliver twenty-three (23) billion dollars in UI benefits faster than most states of comparable size in the midst of persistent threats to personal safety, exposure of employee home addresses on social media, property vandalism, and protests.
As offered in GDOL's response to the DOAS report, GDOL did not begin this process before seeking and securing authorization from DOAS to make the purchases using the P-card. GDOL followed DOAS' guidelines entering invoices each business day in the DOAS proprietary TGM statewide system. GDOL complied with SAO per diem guidelines with limited exceptions that occurred in the initial deployment of the process. Wherever possible, GDOL utilized small businesses struggling during the pandemic and Georgia State University cafeteria. We continued to follow emergency Coronavirus mandates issued by the Governor's Office. We also wanted to reduce the need to make stops on the commute to and from work. Any employee
B-26

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
illness could negatively impact the operation. We took the responsibility to actively maintain a safe workplace.
Even OIG admits GDOL's reasons for providing lunches were justifiable before asserting that the justification somehow morphed into `waste'. OIG also admits that agencies have discretion with regards to how administrative assessment monies are spent. The federal dollars came from emergency administrative funds provided to the states by USDOL with broad discretion to states regarding the use of such funds to ensure adequate resources were available during this national historic emergency.
This process was undertaken in a genuine effort to reduce unnecessary work exposure to COVID and markedly enhanced claim processing productivity. There was no vaccine available during the first 12 months of this activity. When vaccines were introduced, they were limited to certain populations who, for the most part, were not in the workplace processing UI claims.
The decision was made to deliver lunches to all of our locations as grocery stores experienced greatly diminished product availability, restaurants closed due to the shrinking workforce, no relief was in sight and no one had any reasonable prediction on how long this international crisis would last. GDOL could not close down its processes and wait for the crisis to pass. That option was never a consideration. We have a responsibility to our fellow Georgians and to our employees. As an agency, we have experienced 382 cases of COVID, twenty-six (26) of those cases resulted in hospitalizations and unfortunately TEN (10) members of our staff paid the ultimate price and lost their lives to the Coronavirus. These ten staff members were parents, grandparents, siblings, friends, neighbors, and community partners. They were people engaged in the everyday life. We are certain that their surviving loved ones would find the categorization of providing them a delivered meal while they were at their desk working in a pandemic as a waste or abuse to be absolutely abhorrent. In the opinion of these external reviewers, staff are undoubtedly dispensable.
We strongly disagree that investing in the health and safety of our employees was reckless, grossly negligent, needless, imprudent, wasteful or unreasonable. The loss of life we suffered would likely have been far greater had we not taken the strategic approach to limit employee ingress and egress, provide meals and encourage social distancing in the workplace. Our attempt to protect our invaluable human resources by making the decision to reduce a known risk was neither abusive or wasteful but an act of genuine compassion, a substantial benefit to the state, and more than reasonable given the alternatives. Again, this investment was most beneficial as the return yielded hundreds of thousands of additional hours in critically needed, cost-efficient productivity. Such disregard for humankind does little more than contribute to the reasons that so many are leaving the workplace and causes employers in every sector to suffer as a result. We were on the front lines in unprecedented circumstances and made a judgment call that we continue to believe was both necessary and appropriate and stand by that decision.
Auditor's Concluding Remarks: The Georgia Department of Audits and Accounts (DOAA) acknowledges the overwhelming burden placed on the DOL due to the effects of the COVID-19 pandemic and the urgency with which payments were made to the unemployed citizens of Georgia. However, given the information reflected above and the Yellow Book definition of waste and abuse, we reaffirm our finding and will review the status of the finding during our next audit.
B-27

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
STATE ENTITY: DEPARTMENT OF REVENUE

2021-008 Continue to Strengthen Logical Access Controls

Internal Control Impact: Compliance Impact: Repeat of Prior Year Finding:

Significant Deficiency Nonmaterial Noncompliance 2020-011, 2019-009

Description: The Department of Revenue should continue to strengthen controls over logical access within the tax return collection and processing information system.
Background Information: The Department of Revenue (DOR) relies extensively on its tax return collection and processing information system (the system) to perform complex calculations and collect and process large volumes of tax returns, payments, and refunds for the State. The DOR is responsible for the effective operation of the system and related control activities, including segregation of duties. Controls over the system are essential for the reliability and integrity of the DOR's financial data and to protect financial information from manipulation, corruption, or loss.
As part of our fiscal year 2021 audit, we followed up on the DOR's efforts to implement corrective action plans in response to the prior year finding in which we reported that the DOR did not have adequate controls in place over logical access within the system. Although the DOR has not fully implemented all of its corrective action plans, we noted that ongoing efforts are being made.

Criteria: The DOR is responsible for maintaining an effective information system, which includes information technology (IT) general controls that ensure logical access is assigned based on job roles and responsibilities along with enforcing segregation of incompatible duties. It also includes policies and procedures, which are important in establishing processes for managing and monitoring user access, changes made to user access roles, and defining segregation of duties rules that govern the assignment of access rights to specific roles.
Pursuant to the Official Code of Georgia Annotated (OCGA) 50-25-4(a)(20), the Georgia Technology Authority (GTA) is to establish technology security policies, standards, and services to be used by all agencies. The DOR is responsible for adhering to the technology security policies and standards which include:
Access Control Policy (PS-08-009) - Access to State information assets is to be controlled and monitored to protect from unauthorized access and disclosure.
Authorization and Access Management Standard (SS-08-010) - Requires periodic reviews of access control lists and logs to validate the appropriateness of user accounts and use of access privileges. Access control measures are critical to ensuring users only

B-28

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
have access to the information for which they are authorized and need to perform their official duties.
Separation of Production and Development Environments Standard (SS-08-031) Production systems require a stable and controlled environment to operate properly. Separating development and test activities from and restricting developer access to operational environments reduces the risks of inadvertent or unauthorized modifications to the operational system that could compromise the system's integrity or availability.
Condition: In response to our recommendations to strengthen logical access controls, the DOR made several improvements to address the removal of the inappropriate user access to the server production environment and the system. Additionally, the DOR implemented a user access review process for user access within the system. However, our review revealed the following logical access deficiencies still existed during the audit period:
Three out of 24 developers had the capability to move their own system code changes into the production environment within the system. However, after further review, it was determined these three developers did not move any of their own system code changes into production.
Two out of 66 users had inappropriate privileged access to the server production environment that is used to host the system. This inappropriate access provided users with the capability to delete critical files needed for the operation of the system.
Fourteen out of 66 users had inappropriate access within the system that was not commensurate with their job responsibilities. While this inappropriate access allowed one user to perform activity and transactions in the production environment rather than in the testing environment, it was determined that the remaining 13 users did not perform any activity or transactions with their inappropriate access in the system.
Six out of 42 users had inappropriate privileged access to the system database. Additionally, database administrators were assigned duplicate accounts with the same privileged access to the system.
The DOR has not established a formal process for reviewing the access privileges assigned to roles within the system to ensure appropriate segregation of duties are in place.
In addition, our review disclosed that certain general security settings for the system databases were not configured to provide reasonable assurance that the databases are not susceptible to potential exploitation based on known security vulnerabilities.
The details related to these deficiencies have been provided to the DOR management and shall not be considered a public record in accordance with the OCGA 50-6-9(b).
Cause: During an upgrade of the tool used to move system code changes into production, the existing system control preventing developers from moving their own system code change into production was removed inadvertently.
B-29

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
The DOR did not have a user access review process for the server production environment and databases in place to determine whether privileged user access continues to be appropriate based on job responsibilities.
The DOR has a process in place to review users' functional access within the system to ensure that access continues to be appropriate based on each user's job responsibilities; however, the process is not operating as intended. All users were not reviewed by their managers to determine whether access continues to be appropriate based on each user's current job responsibilities. In addition, for two of the users with inappropriate access, management did not have a full understanding of the roles that were being assigned during the new user system request process.
The DOR indicated that a formal process for reviewing the access privileges assigned to roles within the system will take place when the system is upgraded with a role base security function. This function updates how application security is administered and will allow DOR to define a more granular and effective method of reviewing segregation of duties within roles and align with least privilege standards.
In addition, the DOR did not change certain default general security settings to address known security vulnerabilities associated with the databases supporting the system. The system databases were transitioned to a new database technology when the DOR moved the system to the cloud. During this transition, the DOR did not have a review process in place to ensure that the database configuration settings were aligned with least privilege standards.
Effect: The deficiencies in logical access result in noncompliance with the GTA technology security policies and standards and increase the risk of unauthorized access to the information system data and possible manipulation or loss of data.
Recommendation: The DOR should continue to strengthen its logical access controls by:
Implementing a system control preventing developers from moving their own system code change into the production environment.
Documenting and implementing a user access review process for the server production environment and databases to determine whether users' access continues to be appropriate based on job responsibilities;
Ensuring all users are reviewed by their managers during the user access reviews to determine whether access continues to be appropriate based on the user's current job responsibilities;
Establishing an adequate process to allow management to appropriately request access for a new user's job responsibilities rather than replicating another user's access in the same position;
Removing the additional inappropriate user access identified within the application;
B-30

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021 Documenting and implementing procedures for reviewing privileges assigned to system
roles to determine whether proper segregation of duties exist and are enforced within the system; Configuring the general security settings for the system databases to be aligned with least privilege standards to reduce the risk of unauthorized access and inappropriate activity. Views of Responsible Officials: The department concurs with the finding.
B-31

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
STATE ENTITY: SAVANNAH STATE UNIVERSITY

2021-009 Internal Controls Over Financial Reporting

Internal Control Impact: Compliance Impact: Repeat of Prior Year Finding:

Significant Deficiency None 2020-012

Description: The Institution did not have adequate internal controls in place over the financial statement reporting process. The original financial statements, as presented for review, contained significant errors and misstatements.

Criteria: Management is responsible for having adequate controls over the preparation of financial statements in accordance with generally accepted accounting principles (GAAP). The Institution's internal controls over GAAP financial reporting should include adequately trained personnel with the knowledge, skills, and experience to prepare GAAP based financial statements and include all disclosures as required by the Governmental Accounting Standards Board (GASB).
Condition: Our review of the Institution's GAAP basic financial statements, budget basis financial statements and notes to the financial statements revealed several errors. The following deficiencies were identified:
The Institution made journal entries to the financial statements that were incorrect. Significant adjustments were necessary to properly reflect the financial statements and note disclosures.
The fiduciary statements and related note disclosures are not properly supported and are incorrect. The custodial funds activity schedule does not agree to the amounts reported on the financial statements, which causes unidentified errors. Journal entries that were made to restate beginning net position and remove fiduciary activities were incorrect and insufficiently supported. In addition, a significant year-end journal entry was not completed, causing a likely understatement of accounts receivable and revenue in the amount of $3,360,094.
Numerous other significant year-end and adjusting journal entries were incomplete and/or lacked adequate supporting documentation. It could not be determined whether these journal entries would have a material effect on the Institution's financial statements.

An uncorrected misstatement was noted for a construction project that should have been capitalized during the current year. Capital assets are understated and expenses are overstated in the amount of $436,449.
The Institution did not properly reconcile general ledger balance sheet accounts to

B-32

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021 detailed subsidiary listings periodically. Specifically, the balance sheet reconciliations for cash, accounts receivables, capital assets, accounts payable, benefits payable and encumbrances payable were not being properly completed and/or approved in a timely manner. In addition, there were numerous reconciling items, including unidentified variances that were not supported and/or corrected in the general ledger in a timely manner. There were several other corrected and uncorrected misstatements noted on the financial statements and note disclosures. Cause: In discussing these deficiencies with management, they stated that this was due to turnover of staff. Effect: Significant misstatements were included in the financial statements presented for review. The lack of controls and monitoring could impact the reporting of the Institution's financial position and results of operations. Recommendation: The Institution should strengthen their internal controls and preparation and review procedures over financial reporting to ensure that the financial statements, including disclosures, presented for review are complete and accurate. These procedures should be performed by a properly trained individual(s) possessing a thorough understanding of GAAP, the applicable GASB pronouncements and knowledge of the Institution's activities and operations. The Institution should also consider implementing the use of a review checklist to assist in the review process over the financial statements. Views of Responsible Officials: We concur with this finding.
B-33

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
STATE ENTITY: STATE ROAD AND TOLLWAY AUTHORITY

2021-010 Improve Controls over Financial Reporting

Internal Control Impact: Compliance Impact: Repeat of Prior Year Findings

Significant Deficiency None 2018-014, 2017-019, 2016-025

Description: The State Road and Tollway Authority should improve controls over financial reporting to ensure the accuracy and timeliness of the information it prepares for the State's financial statements.
Background Information: State organizations provide information to the State Accounting Office (SAO) to permit the proper accounting and reporting of financial information in the State's Annual Comprehensive Financial Report (ACFR) and Schedule of Expenditures of Federal Awards (SEFA). The SAO has created several financial reporting forms to facilitate this process. State agencies, including the State Road and Tollway Authority (Authority), complete and submit the forms to SAO as part of the annual reporting process. The Authority also prepares a set of financial statements that are utilized for inclusion in the ACFR by SAO. While the SAO has been tasked with consolidating the financial information from units of the reporting entity, the Authority must do its part to ensure the information that is reported in the ACFR is timely, complete, accurate, appropriately presented and provides adequate disclosure of key financial issues.
As part of our fiscal year 2021 audit, we followed up on the Authority's efforts to implement corrective action plans in response to its prior year findings in which we reported that the Authority needed to strengthen internal controls over the financial reporting process and reduce its reliance on end-user applications and manual processes that can be automated in its financial software. In the current fiscal year, the Authority worked with a consultant that provided assistance in the financial statement preparation process; however, the Authority was still unable to produce financial statements that were free of significant errors and omissions or met agreed upon deadlines. Additionally, there is evidence that the Authority continues to rely heavily on end-user applications and manual processes to create year-end financial statements. Further, the financial information submitted to SAO for inclusion in the ACFR continues to be an issue.
Criteria: The Authority is responsible for maintaining a system of internal control over the preparation of financial statements in accordance with generally accepted accounting principles (GAAP). The design and operation of the Authority's controls should allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements of the financial statements in a timely manner, as well as facilitate the preparation of complete and accurate financial statements.
Condition: Our review of the financial information prepared by the Authority revealed that significant adjustments were required to present the financial statements in accordance with GAAP.
B-34

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
Because the Authority had not prepared a complete set of financial statements since fiscal year 2018, significant adjustments were required to arrive at beginning balances for the Authority's fiscal year 2021 financial statements. In addition, significant adjusting entries associated with due to/due from accounts were provided to the auditors by the Authority. The total number of necessary adjustments to arrive at final financial statement amounts were 911 manual journal entries, five prior period adjustments, and 61 financial statement entries. In addition, the following audit adjustments were proposed by the auditors and accepted by the Authority to correct significant errors in the financial statements. First, an adjustment to reclassify $28,806,412 from accounts payable to contracts payable in the General Fund. Also, an adjustment to reclassify $28,806,412 in the General Fund from unearned revenue to capital grants and contributions as the Authority recognized revenue on a cash basis and not on the accrual-based method of accounting. Lastly, an adjustment to move bond proceeds of $484,160,000, bond premium of $117,789,867, and bond issue cost of $1,907,832 from the Debt Service Fund to the General Fund.
The SAO actively engaged with the Authority throughout the fiscal year working to set up more targeted deadlines for submitting financial information for the ACFR and following up on identified obstacles. The agreement was for a complete set of statements to be provided in early fall to allow for an audit of the statements before being compiled as part of the ACFR. Despite these efforts, the Authority did not meet the agreed upon deadlines, has provided multiple iterations of the financial statements, and created additional work and delays for the SAO. The most recent target date to complete the audit of the June 30, 2021 financial statements is March 31, 2022, which is necessary to meet their continuing debt disclosure requirements
Cause: The design and operation of the Authority's controls over its financial reporting process did not detect certain errors and omissions in its basic financial statements that resulted from human error. The two-year gap between the completion of basic financial statements exacerbated the number of corrections required to prepare the fiscal year 2021 financial statements and contributed to the delay in developing and completing the financial statements. In addition, the Authority's controls were often manual in nature rather than automated, which exposed the Authority to an increased risk of human error that had not been effectively mitigated within its financial reporting process. It is apparent that the Authority is not currently utilizing the full functionality of its main application for financial reporting resulting in the need for these manual adjustments.
Financial accounting and reporting standards are constantly evolving and have become more complex in recent years. The increase in complexity and pace of change makes it more difficult for staff who function in a split operations and financial reporting capacity to keep up to date on current standards. The Authority's lack of staff with familiarity of financial reporting requirements for government-wide and fund level financial statements and the ability to research, interpret, and apply applicable GAAP guidance contributed to the numerous adjustments and delays found during the audit.
Effect: Prior to adjustment, the Authority's basic financial statements contained significant misstatements and omissions. Without effective controls in place to address the risk of material misstatements, the Authority cannot ensure accurate financial reporting within its financial statements. This increases the risk of misstatement in the State's ACFR, as well.
B-35

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
Recommendation: The Authority should improve controls over financial reporting by incorporating additional reconciliations, analytical reviews, procedures for determining financial statement amounts, and training for staff that will aid in the timely detection of significant errors. In addition, we recommend the Authority continue its efforts to assess the risk of material misstatements to the financial statements and to strengthen internal controls over financial reporting by:
Documenting step-by-step procedures that define the entire financial statement preparation and review process, including procedures to identify and address new or unusual activity,
Developing a financial statement preparation schedule and a catalog of specific information and data needed to prepare the financial statements and the sources from which the information and data are collected,
Enhancing the analysis performed over areas identified as being more inherently at risk of material error in an effort to minimize the risk of future misstatements,
Reviewing processes that include a significant amount of manual effort or the use of offline spreadsheets as documentation to determine whether the financial system has functionality to allow for a more controlled process,
Considering ways to automate the transfer of information between systems where multiple systems are involved in processing transactions,
Implementing additional levels of review for areas that are more susceptible to human error,
Providing training on new governmental accounting standards, statewide policies, and applicable laws and regulations for all staff who prepare and review the financial information, and
Utilizing forms created by the SAO to aid in the submission of materially correct financial statement information related to the ACFR.
Given the continuous change in the financial reporting environment, the Authority needs to review its current job role/position expectations and required skillsets, as well as professional development plans, to ensure staff performing financial business processes are equipped with the appropriate skillsets, knowledge and experience to produce quality financial records and year end reporting.
We also recommend the Authority consider using the Government Finance Officers Association (GFOA) General Purpose Preparer Checklist when conducting reviews of its financial statements. This checklist is designed to provide comprehensive guidance for financial statement preparers and covers all Governmental Accounting Standards Board (GASB) pronouncements that have been issued as final documents.
Further, the Authority should develop a plan for the timely, complete, and accurate submission of information for the ACFR. While it is understandable that day to day responsibilities of the Authority are critical to the success of meeting organizational objectives, Authority management
B-36

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
needs to recognize the implications to the State of their failure to prioritize meeting deadlines for the ACFR. The Authority should allocate appropriate resources, including creating a dedicated financial reporting position, and ensure appropriate coordination across functions within the organizations exists to prepare year-end financial statements for audit and to provide the SAO with the required information for GAAP reporting for the State's ACFR.
Views of Responsible Officials: In April 2021, the State Road and Tollway Authority (SRTA) engaged the services of a CPA firm, recommended by the State Accounting Office (SAO), to assist SRTA with the verification and/or validation of July 1, 2020 beginning account balances. This CPA firm was hired for two reasons: 1) SRTA lost a key resource in March 2021 that was responsible for financial reporting and a reporting expert was needed to fill this gap; and 2) SRTA needed assistance to ensure that transactions that had occurred during the time period of July 1, 2018 and June 30, 2020 were correctly represented for FY 2021 financial reporting. The verification of these transactions proved to be a bigger task than expected by all parties involved and caused unavoidable delays in meeting deadlines previously determined in conjunction with SAO and the Department of Audits and Accounts (DOAA). Each step of the way, SAO and DOAA were aware of the issues, the additional time needed to complete the tasks, and were cooperative with the delays. Progress was discussed weekly with DOAA (and in some cases, SAO) and information needed for the ACFR was at the forefront of the discussions. There were no recommendations or indications from the CPA firm, SAO or DOAA during the year that SRTA did not follow or that any party indicated could have resulted in a shorter time for completion. SRTA staff worked continuously to meet ongoing verbal requests from DOAA in a timely manner, provided responses to PBC list requests in a timely manner, and were in constant contact every week (and in many cases, every day). SRTA also provided SAO with what was needed for the ACFR and in fact, SRTA's submissions did not cause or significantly contribute to any delay in the completion of the ACFR. SRTA financial staff collaborated with SAO and DOAA, including on revised deadlines; engaged the services of professional CPA firm; hired additional accounting staff; started the implementation of the state recommended FCC module to assist with financial consolidation and reporting and reduce manual processes; and, provided weekly updates to the Executive and/or Deputy Executive Director as to progress or issues raised by SAO or DOAA staff (which were minimal).
SRTA concurs that the financial reporting for FY 2021 posed challenges related to the statutorily required transfer of a major proprietary fund to another Authority. The accounting entries needed for this transfer posed challenges that had not been experienced before which took additional time to analyze and understand. These challenges were seen from both SRTA and DOAA.
Auditor's Concluding Remarks: The Authority states that there were no recommendations from the DOAA which the Authority did not follow that could have resulted in a shorter time for completion of their financial statements; however, the DOAA has been providing recommendations in our financial statement findings to the Authority since fiscal year 2016 that have not been fully addressed. Also, the Authority staff were cooperative and fulfilled all verbal and written requests from the DOAA except for providing a complete set of financial statements and the mapping document used to create those financial statements prior to the release of the ACFR. The Authority did provide financial data for the ACFR; however, that data was unaudited and contained reporting errors. We reaffirm our finding and will review the status of the Authority's corrective action during our next audit.
B-37

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
STATE ENTITY: STATE ROAD AND TOLLWAY AUTHORITY (continued)

2020-011 Improve Controls over Capital Assets

Internal Control Impact: Compliance Impact:

Significant Deficiency Nonmaterial Noncompliance

Description: The State Road and Tollway Authority did not have adequate internal controls to prevent or detect errors and omissions in its reporting of capital asset information for use in the basic financial statements and the State's financial statements.

Background Information:
State organizations provide information to the State Accounting Office (SAO) to permit the proper accounting and reporting of financial information in the State's Annual Comprehensive Financial Report (ACFR) and related note disclosures. State agencies, including the State Road and Tollway Authority (Authority), utilize guidance reflected in the SAO's Accounting Policy Manual to support this effort. Specifically, the Capital Assets section of the SAO's Accounting Policy Manual provides comprehensive guidance on accounting for capital assets and reporting the activity in the ACFR in accordance with generally accepted accounting principles (GAAP). Further, GAAP specifies requirements for reporting financial statement balances and note disclosures for capital assets. These required note disclosures reflect information for each major class of capital assets, such as land and land improvements, buildings, etc.

Criteria:
The Authority is responsible for maintaining a system of internal control over capital asset records for use in the preparation of financial statements in accordance with GAAP. The design and operation of the Authority's controls should allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements of the financial statements in a timely manner, as well as facilitate the preparation of complete and accurate financial statements. The Authority is also responsible for documenting its controls, which is critical to the effective design, implementation, and operating effectiveness of the Authority's internal control system. Additionally, effective internal controls over capital assets should include policies and procedures to ensure compliance with statewide rules, regulations, policies and procedures as required by Title 50, Chapter 5B, Article 1 of the Official Code of Georgia Annotated (OCGA) 50-5B-4.

Condition: As part of our fiscal year 2021 audit, we examined the Authority's capital asset records used in the preparation of their basic financial statements and submission to the SAO for inclusion in the ACFR. We identified the following deficiencies related to capital assets:
A significant misstatement was noted for incorrectly including warranty costs of $2,385,810 in the Construction in Progress amount in the Proprietary Funds.
Immaterial interest costs for Proprietary Fund construction activity were not capitalized appropriately in prior years.
Immaterial expenses that were not properly capitalized were identified from prior years

B-38

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
Disposals of capital assets totaling $32,517,552 occurred in fiscal year 2020 but were recorded as fiscal year 2021 disposals within the Proprietary Funds. The carrying value of these assets was $202,946.
Some capital asset additions were not depreciated based on the date the asset was placed in service. Additionally, certain capital assets were depreciated in a manner that was not consistent with the Straight-line method per the SAO's Accounting Policy Manual. The total impact of these deficiencies to the Governmental Activities was $235,672.
Several capital asset additions were not depreciated in the first year of service using the Following Month Convention set forth by the SAO's Accounting Policy Manual. The impact for the Proprietary Funds was $347,800.
The Authority did not obtain prior approval by the Department of Administrative Services (DOAS) when disposing of capital assets.
Capital asset policies were applied in an inconsistent manner across fiscal years (i.e., certain salaries were capitalized in some years but were not others.)
Cause: The Authority did not adequately maintain a system of internal control over capital asset records. Additionally, the Authority did not follow guidance associated with capital assets within the SAO's Accounting Policy Manual.
Effect: The Authority's basic financial statements contained misstatements and omissions with regards to capital assets. Without effective controls in place to address the risk of material misstatements, the Authority cannot ensure accurate financial reporting within its financial statements. Additionally, this increases the risk of misstatement in the State's ACFR. Furthermore, deficiencies in controls over capital assets could lead to the misappropriation of assets and misrepresentation of the Authority's financial position.
Recommendation: The Authority should improve and implement additional internal controls over capital assets to ensure that asset records are complete and accurate for use in the Authority's basic financial statements and the State's ACFR by:
Verifying that all capital assets and related accumulated depreciation balances are categorized appropriately within note disclosures;
Identifying and/or making corrections to errors in capital asset records in a timely manner; and
Following all applicable capital asset policies and procedures reflected within the SAO's Accounting Policy Manual.
Views of Responsible Officials: We concur with this finding. At the beginning of FY 2019, the State Road and Tollway Authority (SRTA) transitioned to the State's Financial System and did not implement the TeamWorks Asset Management Module. SRTA was in the process of procuring an outside software solution for Asset Management to meet the complex needs of tolling and transit assets across two linked, but legally separate organizations, and was confident that the software solution would replace manual processes surrounding capital asset inventory, depreciation, and financial reporting. Due to various reasons, the software solution was not procured and SRTA resorted to using spreadsheets to keep track of capital asset information. It was anticipated that this approach
B-39

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021 would be temporary; however, several delays occurred, including the COVID-19 pandemic, which resulted in the new Request for Proposals for Asset Management to be released in late FY 2020 by the Atlanta-region Transit Link Authority (ATL). ATL was successful in selecting a vendor to implement an Asset Management software solution that will be used by both ATL and SRTA.
B-40

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021

STATE ENTITY: GEORGIA PUBLIC TELECOMMUNICATIONS COMMISSION

2021-012 Controls over Capital Assets

Internal Control Impact: Compliance Impact:

Significant Deficiency None

Description: The Georgia Public Telecommunications Commission (GPTC) is not always properly managing and accounting for capital assets to ensure capital assets records are properly maintained and accurate.

Background Information: GPTC capitalizes equipment when the cost of individual items exceeds $5,000 and the estimated useful life exceeds two years. There is $69,984,135 recorded on the financial statements as capital assets, other property, and equipment at June 30, 2021. Almost 95% of these items are fully depreciated. As part of our fiscal year 2021 audit, we tested other property and equipment to verify existence. GPTC was unable to locate a significant number of the items selected for testing.
Criteria: GPTC management is responsible for designing and maintaining internal controls that provide reasonable assurance that capital asset inventory records are properly maintained and accurate. The State Accounting Office's (SAO) policy manual outlines policies and procedures related to fixed asset accounting, which includes specific requirements related to physical inventory, useful life, additions, disposal management and surplus property management. That policy provides that state of Georgia organizations must ensure that a physical inventory of capital assets is conducted at least every two years to validate the existence of capital assets reported in financial statements.
Condition: Our review of capital assets revealed the following:
GPTC did not perform physical inventories of capital assets as required.
Accumulated depreciation for other property and equipment was overstated by $118,007. This accumulated depreciation was related to a tower upgrade that had been transferred to the Board of Regents.

Any item with a value greater than $340,247 was considered to be an individually significant item for testing purposes. A test of all thirty-nine individually significant items with values totaling $25,544,541 for fully depreciated other property and equipment revealed that five items with values totaling $3,218,098 could not be located resulting in a likely overstatement of other property and equipment and accumulated depreciation.

For the remaining population, a sample of fifty-two fully depreciated other property and B-41

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021 equipment items revealed that twenty-six items could not be located resulting in a $762,520 likely overstatement of property and equipment and accumulated depreciation. When the 40.87 % sample error rate was projected to the total population, it resulted in a $15,119,801 projected overstatement.
We also noted that the useful life assigned to asset categories had not been re-evaluated and assets remained in service after they were fully depreciated.
Cause: Per discussion with management, GPTC had not implemented adequate internal controls that included full capital asset physical inventory procedures of all areas within headquarters and at each field site. In addition, departments do not consistently notify the finance department to update or remove assets in the financial system, which can be attributed to overall staff turnover and a lack of communication and coordination. Effect: Without proper controls over capital assets, including maintaining a complete and accurate capital asset listing there is a risk that the financial statements for internal and external reporting do not accurately reflect the true value of GPTC's capital assets. GPTC also may not be complying with SAO policies. Recommendation: GPTC management should improve capital asset policies and procedures and implement additional procedures over physical inventory, asset removal and useful life. GPTC should ensure that assets are capitalized properly, disposed of, and removed from the financial system timely, and that useful lives are being appropriately evaluated and changed. GPTC should also review SAO capital asset policies and design and implement procedures to conduct a physical inventory of capital assets other property and equipment, review capital asset records for accuracy and make appropriate adjustments as necessary every two years. Views of Responsible Officials: We concur with this finding.
B-42

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021

STATE ENTITY: GEORGIA TECH RESEARCH CORPORATION

2021-013 Revenue-Sharing Agreement Noncompliance

Internal Control Impact: Compliance Impact:

Significant Deficiency Nonmaterial Noncompliance

Description: The Institution did not have adequate internal controls in place over revenue-sharing agreements to prevent noncompliance with applicable polices.
Criteria: Please note that Georgia Tech Research Corporation (GTRC) is not subject to state procurement policy; however, the agreement to share Georgia Tech Professional Education (GTPE) revenue is required to be administered under state and Board of Regent's policies. Specifically:
Georgia Procurement Manual - Section 1.3.4.5. Open Market Purchases, Section 1.4.4.3. Fiduciary Duty and Section 3.6.2. Requirements for Multi-Year Agreements.

Board of Regents Policies - Section 2.6.4 Agreements, Section 2.6.5 Delegation of Authority and Responsibilities and Section 7.7.1 General Policy.

Georgia Tech (GT) Signature Authority - Purchasing Agreements.
Condition: The University System of Georgia Office of Internal Audit (OIA) performed an audit of Georgia Tech Research Corporation and the Georgia Tech Applied Research Corporation. The following finding and related recommendations resulted from their procedures.
In August 2020, GTRC entered into a revenue-sharing agreement on behalf of GTPE. This Specialized Services Agreement (SSA) created a contractual obligation with third party organizations. The agreement contained an effective date of August 1, 2020, to continue for twelve months. The SSA referenced a Statement of Work (SOW). The payment structure outlined in the SOW created a revenue-sharing agreement between GTPE and the specified third parties. As such, GTRC did not have the delegation of authority to sign the agreement and create an obligation of GT funds. The agreement should have been processed through the GT Purchasing Office in compliance with state procurement policy. At the time of audit fieldwork, GTRC management was collaborating with GT legal counsel and Administration and Finance to determine the best course of action for fulfilling the monetary obligations to date, and the next steps for sourcing a revised agreement through the GT Purchasing Office.
Cause: GTRC management previously entered into revenue-sharing agreements on behalf of GTPE. Earlier in 2021, GTRC and GT management agreed that the agreements should be renegotiated and processed by GT under the state procurement policy. The SSA was signed before the change in practice for these agreements.

B-43

STATE OF GEORGIA FINANCIAL STATEMENT FINDINGS
YEAR ENDED JUNE 30, 2021
Effect: Public funds may be spent in violation of laws or policies and pose a reputational risk to GT and GTRC. Contract disputes and lawsuits may arise when procurements and contracts are not in compliance with state policy. GTRC may incur monetary obligations that are not in support of the primary mission of research. The Chief Business Officer, responsible for fiscal oversight of the institution, may be unaware of financial agreements which share GT funds with third parties.
Recommendation: To resolve these issues and mitigate the existing risks, we recommend GTRC:
Collaborate with the GT Office of General Counsel (OGC), Office of Administration & Finance (A&F), and GTPE to determine the most appropriate course of action to process payment for obligations to date under the agreement. Requests for payments under this agreement should include (1) Validation that the third party executed the deliverables outlined in the Statement of Work, and (2) Revenue-sharing payment calculations supported by detailed registration fee records. The revenue-sharing agreement should be renegotiated and processed through the GT Purchasing Office in compliance with all state policies. A transition period may be necessary to avoid course interruption for learners.
Strengthen policies and procedures to prevent the re-occurrence of inappropriately signing similar agreements.
Views of Responsible Officials: Management agrees with the finding. See management's corrective action plan.
B-44

Corrective Action Plan for Current Year Financial Findings

Brian P. Kemp Governor
Gerlda Hines, CPA State Accounting Officer
March 24, 2022
Mr. Greg S. Griffin, State Auditor Georgia Department of Audits and Accounts 270 Washington Street, S.W., Room 1-156 Atlanta, Georgia 30334-8400
Dear Mr. Griffin, Enclosed with this letter is the State of Georgia's "Corrective Action Plan" (CAP) relating to financial statement findings, for reporting in the Single Audit for fiscal year ending June 30, 2021. This CAP is compiled by the State Accounting Office (SAO) based on corrective action plans provided by the respective State Organization, and is organized by State Organization and finding number.
The State's CAP satisfies the requirements as detailed in Title 2 U.S. Code of Federal Regulations, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Subpart F, Section 511 Audit findings follow-up.
If you have any questions regarding this CAP, please contact our Office.
Sincerely,
Gerlda B. Hines, CPA State Accounting Officer
200 Piedmont Avenue 1604 West Tower Atlanta, Georgia 30334 (404) 656-2133 (404) 463-5089 FAX www.sao.georgia.gov
C-3

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021

TABLE OF CONTENTS

STATE STATE ENTITY1 AGENCY

PAGE NUMBER

FINANCIAL STATEMENT FINDINGS UNDER GOVERNMENT AUDITING STANDARDS

414 419 422 440 474 548 927 977 5036

Statewide............................................................................... Department of Education..................................................... Department of Community Health...................................... Office of the Governor.......................................................... Department of Labor............................................................ Department of Revenue........................................................ Savannah State University................................................... State Road and Tollway Authority....................................... Georgia Public Telecommunications Commission.............. Georgia Institute of Technology Research Corporation......

C-5 C-5 C-6 C-7 C-7 C-11 C-16 C-16 C-17 C-18

1 The entity number represents the control number that was assigned to each State entity. C-4

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
FINANCIAL STATEMENT FINDINGS REPORTED UNDER GOVERNMENT AUDITING STANDARDS
2021-001 Improve Controls over Financial Reporting State Entity: Statewide Finding
Corrective Action Plans: The SAO will review its timelines for preparing the Annual Comprehensive Financial Report (ACFR) to determine where current timelines can be accelerated to allow for more timely completion and allow for sufficient review time. SAO will continue to provide routine training to all internal staff relating to various financial accounting and reporting topics. As for the largest of the items identified above, SAO will implement additional internal controls as necessary, such as comparing the amounts presented as Pooled Investments with the State Treasurer to the separately issued report. SAO will also continue to review our processes and implement automated solutions where possible.
Estimated Completion Date: June 30, 2022
Contact Person: Kris Martins, Deputy State Accounting Officer - Financial Reporting Telephone: (470) 528-0776; E-mail: kris.martins@sao.ga.gov
2021-002 Strengthen Controls over Financial Reporting State Entity: Department of Education (GaDOE)
Corrective Action Plans: The GaDOE does not concur with this finding. The GaDOE utilizes a standard methodology for estimating and recording account balances associated with subsequent period subrecipient reimbursement to materially correct our account balances. We also have additional internal controls in place during the year-end reporting process to identify and review any account balances which may need to be adjusted outside of this process. During this review, in September 2021, the department noted that we may need to adjust CFDAs 84.425D and 84.425U. This was then discussed with the Georgia Department of Audits (GDOAA) and State Accounting Office (SAO.) During these discussions it was determined the department would apply the standard methodology and not make a special adjustment. The GaDOE was also not made aware of any issues or concerns with these account balances until after the auditors completed field work in late December 2021. At this time, it was discussed and agreed that CFDAs 84.425D and 84.425U would be adjusted to the actual cash draws on the grants as of 12/20/2021. The department then adjusted the financial statements and requested the GDOAA adjust the Schedule of Expenditures of Federal Awards (SEFA.) The adjustment methodology applied would not have yielded the same account balances in September of 2021. Any adjustment made would have had to be adjusted again in late December 2021.
C-5

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-002 Strengthen Controls over Financial Reporting (continued) Furthermore, the GaDOE was not made aware of this finding until March 9, 2022. Given these circumstances the GaDOE has determined our internal controls are not materially weak and a corrective action plan is not warranted.
Estimated Completion Date: Not applicable
Contact Person: Metsehet Ketsela, Accounting Manager II Telephone: (404) 656-2497; E-mail: metsehet.ketsela@doe.k12.ga.us
2021-003 Continue to Strengthen Application Risk Management Program State Entity: Department of Community Health (DCH)
Corrective Action Plans: The Agency has identified and secured the necessary matching State funds along with approved Federal funds required to implement its CAP in order to fully remediate the audit finding by December 31, 2022. As a part of the remediation, the Agency is moving forward with acquiring the identified internal cybersecurity resources and contracted third-party security services required to fully remediate the audit finding within the identified timeframe. The DCH Cybersecurity Office continues to monitor electronic visit verification (EVV) information security compliance through the following: Office of Information Security (OIS) reviewed and approved the applicable Security assessment report and Plan of Action and Milestones (POAM). Currently tracking the remediation of one moderate severity assessment compliance gap scheduled for remediation by the end of March 2022. EVV security and privacy certification was approved by Centers for Medicare and Medicaid Services (CMS). EVV system security plan (SSP) and POAM was reviewed with GTA OIS. No additional security compliance recommendations were provided by GTA OIS. The EVV Solution Service Provider has implement a National Institute of Standards and Technology (NIST) compliant multi-factor authentication (MFA) solution for all in scope privileged accounts.
Estimated Completion Date: December 31,2022
Contact Person: Jay Mistry, Deputy CIO Telephone: (404) 576-7696; E-mail: jmistry2@dch.ga.gov
C-6

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-004 Improve Controls over Financial Reporting State Entity: Office of the Governor (OPB)
Corrective Action Plans: Management will implement new oversight processes to ensure bank reconciliations are performed within 30 days of receiving bank statements in accordance with the State Accounting Office Business Process Policy for bank reconciliations. At a minimum, monthly reconciliations will be documented and retained as well as performed by an employee not involved in the recording of the accounting transactions being reconciled and reviewed by management in order to minimize the risk of misstatements and help to ensure the accuracy of financial reporting.
Additionally, management has begun to assess and update, where appropriate, processes and controls pertaining to reconciliations and periodic reviews. OPB management will review and update procedures to better document specific accounting tasks, their required frequency, and their staff assignment based on functional area.
The Administration Division will routinely provide management updates on the results of reconciliation processes.
OPB will also examine whether additional reconciliation processes are necessary to aid in the year-end reporting of federal funding. Finally, OPB has hired additional procurement staff to address agency workload needs and will cross train accounting staff to allow for more agency flexibility in managing duties during staff absences.
Estimated Completion Date: June 30, 2022
Contact Person: Stephanie Beck, Deputy Director Telephone: (404) 656-6507; E-mail: stephanie.beck@opb.georgia.gov
2021-005 Strengthen Logical Access Controls State Entity: Department of Labor (GDOL)
Corrective Action Plans: As was normal pre-pandemic, going forward the Information Technology division will continue to follow established user access reviews and continue to collaborate with business units to design more specific roles to align more closely with each user's role and daily tasks as appropriate. Completion of the global access monitoring for 2021 - completed in December, 2021. The next scheduled annual transaction access review is December, 2022. Completion of the biennial role design review - completed October, 2021. Future role design reviews will be completed biennially to insure transactions assigned to the role continue to be appropriate based on the job responsibilities and business functions of each individual.
C-7

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-005 Strengthen Logical Access Controls (continued) Estimated Completion Date: December 31, 2021
Contact Person: Lindsey Gardener, Information Technology Telephone: (404) 232-7548; E-mail: Lindsey.Gardener@gdol.ga.gov
2021-006 Strengthen Accounting Controls Overall State Entity: Department of Labor (GDOL)
Corrective Action Plans: Lack of controls over the payment of benefits
Corrective Action Plan (CAP) After the implementation of the State Extended Benefits (SEB) program there were two system corrections that needed to be made:
For every payment system, there is an edit that ensures that payments do not exceed the established Weekly Benefit Amount for a claimant. This edit was erroneously omitted in the SEB payment system. This was corrected upon discovery on April 22, 2021.
For every payment system, there is an edit that ensures that payments are not made on the same week ending date as payments on other systems. This edit was erroneously omitted in the Pandemic Emergency Unemployment Compensation (PEUC) payment system at the implementation of the State Extended Benefits program. This was corrected upon discovery on February 18, 2021.
Overpayments have been established on the 133 cases where the SEB weekly benefit amount was exceeded and the 25 instances of duplicate payments.
An effort is being coordinated with the Information Technology Division to establish system-generated overpayments for the 3,575 instances where a claimant was paid benefit amounts from two programs for the same weeks requested. This will be completed by the end of the fiscal year June 30, 2022.
Activity related to uncollected overpayments
A methodology for determining an allowance for doubtful accounts associated with uncollected overpayments was developed and transmitted to DOAA before this finding was received.
CAP The submitted methodology will be utilized to provide an auditable estimate for the allowance for doubtful accounts associated with uncollected overpayments.
C-8

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-006 Strengthen Accounting Controls Overall (continued) Inadequate controls over financial reporting related to the SEFA
The SEFA has been completed and submitted to DOAA and SAO timely each fiscal year. The FY 2021 SEFA was submitted by the original due date in July. The volume of activity in the Proprietary Fund (State Unemployment Insurance Trust Fund State UITF) was exponentially higher in FY2021 than every year since the inception of GDOL combined. All reconciliations for the proprietary fund had not been completed by the due date and some realignments were required in the mapping of funding streams. Adjustments were made as the need presented itself and the document was resubmitted with corrections made.
There were also some items that DOAA and SAO were working to agree on that required mutual agreement on how to record.
The modifications to the report could have been less burdensome if the SEFA due date was closer to the ACFR data deadline. There is also the possibility that the SEFA could be submitted in August as currently required with Budget Fund activity only and then resubmitted with Proprietary data added when fully reconciled when ACFR information is due. The ACFR due date is in late September because the second quarter unemployment insurance (UI) tax due date is July 31st each year and the tax processing data is not completed until early September each year.
CAP DOL proposes that the SEFA be due later in August for the Budget Fund only and due in late September for the Proprietary UI Fund when the ACFR is normally due. This timing will allow GDOL to provide DOAA and SAO with a SEFA that reconciles with the ACFR.
Inadequate controls over statewide reporting requirements
GDOL remains committed to working with DOAA and SAO to provide accurate fiscal reporting. GDOL spent significant manhours with DOAA in instructing them in the complex processes of UI Claims. Perhaps the hours may have served the agency better had it been invested in analytics and supporting reporting activities.
In terms of the audit issued opinion on the State's financials, perhaps the initial (FY2020) modified opinion may have been a bit premature. The first federal program payment made by GDOL was 4/13/2020. A second federal program had initial benefits paid 4/27/2020 and a third did not have a first payment until 6/11/2020. If an overpayment was established from either of these programs by fiscal year end (June 30, 2020), it would have not aged for any period long enough to be deemed `uncollectible' unless the claimant died or bankruptcy was declared. A bankruptcy judgment would be unlikely during a period that most judiciary systems were closed. Even if the courts were open with a full schedule, the time frame to secure a bankruptcy judgement could not be met in the ten weeks before FY20 fiscal yearend that GDOL issued its first federal payment. USDOL best practices suggest reporting an overpayment receivable as doubtful when inactivity extends more than 450 days. At June 30, 2020, just ten weeks had elapsed from the initial federal benefits paid by Labor. GDOL paid federal program benefits during the Great Recession and the dotcom crash. During neither period did DOAA require identified federal overpayments to be reported on the state financial reports and the state never had an obligation to repay the feds for any such overpayment.
C-9

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-006 Strengthen Accounting Controls Overall (continued) No federal benefit payment is made from the State UITF, creating no liability to the proprietary fund. Audits issued a modified opinion in FY2020. Looking back, it is reasonable to at least consider that this opinion may have been a rush to judgement for FY20. To this end, any resulting consequence to the State's forward ability to borrow is shared by the opining agency resolving that this distinction was appropriate at that juncture.
CAP GDOL remains fully committed to providing complete information for the statewide reporting. Accounting staff will submit data to DOAA after Information Technology has provided a complete file on UI program identified overpayments as of the end of the fiscal year. The data will include overpayment balances by category along with estimates for an uncollectible allowance.
Estimated Completion Date: June 30, 2022
Contact Person: John Williams, Accounting Director II Telephone: (404) 232-3577; E-mail: john.williams@gdol.ga.gov
2021-007 Waste and Abuse Related to Employee Meal Purchases State Entity: Department of Labor (GDOL)
Corrective Action Plans: We strongly disagree that investing in the health and safety of our employees was reckless, grossly negligent, needless, imprudent, wasteful or unreasonable. The loss of life we suffered would likely have been far greater had we not taken the strategic approach to limit employee ingress and egress, provide meals and encourage social distancing in the workplace. Our attempt to protect our invaluable human resources by making the decision to reduce a known risk was neither abusive or wasteful but an act of genuine compassion, a substantial benefit to the state, and more than reasonable given the alternatives. Again, this investment was most beneficial as the return yielded hundreds of thousands of additional hours in critically needed, cost-efficient productivity. Such disregard for humankind does little more than contribute to the reasons that so many are leaving the workplace and causes employers in every sector to suffer as a result. We were on the front lines in unprecedented circumstances and made a judgment call that we continue to believe was both necessary and appropriate and stand by that decision.
Estimated Completion Date: June 30, 2021
Contact Person: John Williams, Accounting Director II Telephone: (404) 232-3577; E-mail: john.williams@gdol.ga.gov
C-10

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-008 Continue to Strengthen Logical Access Controls State Entity: Department of Revenue (DOR)
Corrective Action Plans: Security Review Process During this phase, we will perform an evaluation and cleanup of the existing groups and function numbers to make the upgrade process easier.
Function Number Review Does the function name accurately effectively describe the function? o Update/adjust all function names with confusing, odd, or inaccurate descriptions. Consolidate similar functions, when possible Function Sequence o Update sequence if there any functions that are out of sequence o Excessive number of functions within a sequence of 100 (more than 10) o Should a new sequence be created for the functions that have different functionality?
Group Evaluation Is the group name are clear and concise? o Update any confusing names, groups with similar names Consolidate existing groups when possible, i.e groups with overlapping functions Do the current functions belong in each group?
Security Reorganization In this phase, we will reorganize security to ensure it is version compatible and that all users have the necessary security.
Requirement Meetings During this portion, we will hold security requirement meetings for each business unit to discuss the functions needed for each role. The Testing/Training Team will provide proposed security for users to discuss with each business unit. In the meetings, we will discuss:
What functions do users currently have What functions do they need? Are there any functions missing or any they should
not have?
Roles Now that the existing security functions and groups have been thoroughly reviewed, we are ready to identity the divisions of duty for each Bureau to determine the necessary version security roles.
A security role can contain a single security group or multiple security groups. Roles bring together groups (which contain functions for access control) and users (for access to functions, organizational hierarchies, and reporting hierarchies).
C-11

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-008 Continue to Strengthen Logical Access Controls (continued) A role is made of multiple groups, which are made of multiple functions. There are four types: Primary Role Default security required for every system user that contains the main set of functions required for the user to do their job. A user can only have one Primary role. Supplemental Role Additional access that can be given to a user. Multiple Supplemental roles are allowed for a user but the functions for this role combined with any other role should never violate the separation of duty rules. Stopgap Role Additional access that can be granted for a temporarily to fill an immediate need that changing them to another role could not accomplish. Multiple Stopgap roles are allowed for a user. Non-Production role Additional access that can be granted for non-production environments. Multiple Non-Production roles are allowed for a user.
Group Organization Now that version security roles have been identified, we are ready to reorganize the existing set of functions into new security groups. The methodology behind the separation of groups with respect to security is the concept of responsibilities. This methodology allows groups to contain function numbers related to responsibilities performed on site. Examples of these responsibilities and groups include Account Maintenance, Return Correction, Refund Approval, etc
Functions Update each function to the 6-digit number or invalidated unused functions and any configuration that did not follow best practices
Version Security Comparison Users A user must be assigned to a Role but can be granted Supplemental Roles for additional security permissions. Access to functions is granted by the User's Role assignment(s).
Roles A Role refers to a collection of Groups that corresponds to a business group within the agency. Role assignments determine:
Which managers and windows users can see in the system; Which buttons and hyperlinks are displayed to users; Which functions users may perform within the system.
Groups A Group refers to a grouping of Function Numbers that grant a User a specific set of permissions (i.e. Basic View, Basic Edit, Help Maintenance, etc.). Groups may contain one function or many functions.
C-12

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-008 Continue to Strengthen Logical Access Controls (continued) Functions A Function is simply a number and a description that is tied to a specific functionality within the system. A user must have access to the function number (FN) in order to perform the function. In other words, the user typically must be assigned to a role that includes the specific function number.
Security Maintenance Security will be maintained in production and copied down into the lower environments on a weekly basis.
Roles and Responsibilities Role Responsibilities Testing/Training Lead
Monitor and report progress to project management, communicate any identified issues and risk
Lead weekly status meetings with stakeholders Organize and build the project in Delivery Workbench Conduct initial review of existing security
Testing/Training Team Update Delivery Workbench with appropriate information Assist with Security Testing; lead tester training, write test scenarios, evaluate scenario failures Verify security organization Create and maintain documentation
Developer Update Delivery Workbench with appropriate information Oversee configuration
Security Team Assist with security testing Verify security organization; groups, roles, functions, and users
Tester Execute scenario written by testing and security team Provide adequate information if the scenario failed
C-13

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-008 Continue to Strengthen Logical Access Controls (continued) Organization All aspects of the version Security Overhaul will be tracked and documented in Delivery Workbench. Three out of 24 developers had the capability to move their own system code changes into the production environment within the system. However, after further review, it was determined these three developers did not move any of their own system code changes into production. DOR will implement a review process to ensure that this access is monitored and reviewed on a quarterly basis and that any instances where this elevated privilege is used that it has been documented and DOR is aware of why this was done and by who. Implement review process 12/2022
Two out of 66 users had inappropriate privileged access to the server production environment that is used to host the system. This inappropriate access provided users with the capability to delete critical files needed for the operation of the system.
DOR has moved to the cloud and now controls all access to infrastructure. DOR will implement a review process to ensure that this access is monitored and
reviewed on a quarterly basis. Implement review process 12/2022
Fourteen out of 66 users had inappropriate access within the system that was not commensurate with their job responsibilities. While this inappropriate access allowed one user to perform activity and transactions in the production environment rather than in the testing environment, it was determined that the remaining 13 users did not perform any activity or transactions with their inappropriate access in the system.
DOR is reviewing all groups and functions to ensure they are appropriate and needed. We are documenting each group and function number to also ensure that it only grants the access that is appropriate.
DOR will implement a review process to ensure that groups and functions assigned to groups are appropriate and reviewed by the business owners on an annual basis.
Implement review process 9/2022
Six out of 42 users had inappropriate privileged access to the system database. Additionally, database administrators were assigned duplicate accounts with the same privileged access to the system.
DOR removed all inappropriate privileges
C-14

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-008 Continue to Strengthen Logical Access Controls (continued) DOR will implement a review process to ensure all privileged access is reviewed and verified to be accurate and appropriate. The duplicate accounts is appropriate and necessary to maintain availability for the DOR database administrator (DBAs) if there's an Active Directory issue. Implement review process 12/2022
The DOR has not established a formal process for reviewing the access privileges assigned to roles within the system to ensure appropriate segregation of duties are in place. In addition, our review disclosed that certain general security settings.
DOR is reviewing all groups and functions to ensure they are appropriate and needed. We are documenting each group and function number to also ensure that it only grants the access that is appropriate.
DOR will implement a review process to ensure that groups and functions assigned to groups are appropriate and reviewed by the business owners on an annual basis.
Implement review process 9/2022
System databases were not configured to provide reasonable assurance that the databases are not susceptible to potential exploitation based on known security vulnerabilities.
DOR is working to establish a set patching schedule for database patching. DOR has installed and updated all Database servers to provide reasonable assurance that these databases are not susceptible to exploitation based on known security vulnerabilities.
DOR will implement a scheduled patching that ensures all database servers are patched and updated regularly.
Implement scheduled patching and updates. Starting 4/22.
Estimated Completion Date: December 30, 2022
Contact Person: Henry Rutherford, Sr Mgr Application Support Development Telephone: (404) 417-6497; E-mail: henry.rutherford@dor.ga.gov
C-15

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-009 Internal Controls Over Financial Reporting State Entity: Savannah State University
Corrective Action Plans: We concur with the finding. Savannah State University's corrective action plan consists of both hiring additional accounting staff and the replacement of some existing staff. Savannah State University recently hired new leadership within the Business and Financial Affairs area with the hiring of a new Vice President for Business and Financial Affairs. In addition, the University is also in the process of hiring a new Controller to assist with the evaluation, modification and development of policies and procedures to ensure an appropriate internal control structure is in place and functioning properly. Over the next fiscal year, the University will ensure that all accounts are reconciled and that sufficient documentation to support the University's financial statements is available.
Estimated Completion Date: June 30, 2022
Contact Person: Megan Davidson, VP for Business and Financial Affairs Telephone: (912) 358-4002; E-mail: davidsonm@savannahstate.edu
2021-010 Improve Controls over Financial Reporting State Entity: State Road and Tollway Authority (SRTA)
Corrective Action Plans: Currently and going forward, the action of SRTA is to continue to develop and ensure the usage of fundamental accounting principles and best practice guidance, as well as provide adequate staffing, towards the effort of maintaining accurate and timely accounting data. In FY 2022, additional staff was hired to aid in the efforts of improving accounting data recordkeeping, assist with the documentation of processes and procedures, and reduce the reliance of correction entries and post-closing adjustments. In addition, staff will be hired as soon as possible to assist with ongoing financial reporting and internal controls. New processes have already been implemented to ensure the proper accounting for contracts payable entries and unearned revenue entries. SRTA continues to add items to the month-end/year-end closing checklists to provide assurance that proper procedural steps are being actively followed and key chartfield data, such as fund, funding source, project, etc., is recorded correctly in the State's Financial System. Performing monthly reconciliations, routine training of staff on financial system competencies, and reviews of account and other key data factors have been implemented and are being practiced routinely.
C-16

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-010 Improve Controls over Financial Reporting (continued) It should be noted that as with most state entities of similar financial complexity that use the State's Financial System, SRTA will never be able to abandon manual processes completely. By improving accounting data recordkeeping and account ledger maintenance, a timely and accurate financial data set needed for the basis/foundation will be available to prepare and report timely and accurate financial statements. This will put SRTA in the best place it can be to improve and solidify the financial statement preparation process. In addition, SRTA will continue to partner with SAO on future financial reporting steps and the use of new tools.
Estimated Completion Date: June 30, 2022
Contact Person: Monique Simmons, Chief Financial Officer Telephone: (404) 893-3003; E-mail: msimmons@srta.ga.gov
2021-011 Improve Controls over Capital Assets State Entity: State Road and Tollway Authority (SRTA)
Corrective Action Plans: Currently and going forward, the action of SRTA is to continue to develop and ensure the proper internal controls over capital assets. The Asset Management software solution will be available for use in calendar year 2022. This solution will replace the need for spreadsheets and manual calculations. In addition, the financial staff will continue to work closely with the Atlanta-Region Transit Link Authority (ATL's) Asset Management Manager to ensure clear communication regarding capital asset policies and procedures.
Estimated Completion Date: December 31, 2022
Contact Person: Monique Simmons, Chief Financial Officer Telephone: (404) 893-3003; E-mail: msimmons@srta.ga.gov
2021-012 Controls over Capital Assets State Entity: Georgia Public Telecommunications Commission (GPTC)
Corrective Action Plans: The GPTC Finance department is responsible for asset management and intends to address the deficiency as follows: GPTC's asset management policy will be reviewed and revised. Ensure new staff are trained on the asset process, as needed. Senior leadership and custodians of GPTC assets will receive specific guidance on the asset management process.
C-17

STATE OF GEORGIA CORRECTIVE ACTION PLAN FOR CURRENT YEAR FINANCIAL FINDINGS
FISCAL YEAR ENDED JUNE 30, 2021
2021-012 Controls over Capital Assets (continued) o For example, how assets are acquired and properly disposed of in accordance with GPTC and State Accounting Office policies.
A part of the revised policy includes a plan for a complete inventory of all GPTC assets across the state of Georgia. As our assets are located at headquarters and across the state, we propose to complete a full inventory every 2-3 years with a complete inventory of all field sites one year and headquarters the next.
Immediate action will involve an inventory by GPTC staff of large value headquarters assets and as many field locations as possible by the end of FY 2022. Any remaining headquarter assets and field locations will be completed in FY 2023. This will give GPTC a true baseline for future asset acquisitions, disposals or surplus items, and inventory.
Estimated Completion Date: June 30, 2023
Contact Person: Elizabeth Laprade, Chief Financial Officer Telephone: (404) 685-2619; E-mail: elaprade@gpb.org
2021-013 Revenue Sharing Agreement Noncompliance State Entity: Georgia Institute of Technology Research Corporation (GTRC)
Corrective Action Plans: GTRC management has advised the Georgia Tech Office of General Counsel (OGC), Office of Administration and Finance (A&F), Enterprise Innovation Institute (EII), Georgia Tech Professional Education (GTPE) and other colleges and departments that all future procurements for services in support of Georgia Tech operations must be administered through Georgia Tech Purchasing. GTRC management has also written policies and procedures regarding appropriate and inappropriate procurements for the Research Corporations and trained Office of Sponsored Programs (OSP) Contracting Officers and GTRC Accounting Staff on these policies as they apply to the revenuesharing agreement that generated this finding.
GTRC management has informed all units involved about the inappropriate actions which resulted in this finding. GTRC's response includes training campus departments, through outreach programs, on the proper authority required to commit resources and upon recognition of situations when payments should be made by Georgia Tech Accounts Payable.
Estimated Completion Date: February 1, 2022
Contact Person: Robert Foy, Interim General Manager GTRC Telephone: (404) 894-2000; E-mail: robert.foy@business.gatech.edu
C-18

Summary Schedule of Prior Audit Financial Findings

Brian P. Kemp Governor
Gerlda Hines, CPA State Accounting Officer
March 15, 2022
Mr. Greg S. Griffin, State Auditor Georgia Department of Audits and Accounts 270 Washington Street, S.W., Room 1-156 Atlanta, Georgia 30334-8400 Dear Mr. Griffin, Enclosed with this letter is the State of Georgia's "Summary Schedule of Prior Audit Financial Findings" (Schedule) relating to financial statement findings, for reporting in the Single Audit for fiscal year ending June 30, 2021. This Schedule is compiled by the State Accounting Office (SAO) based on answers provided by the respective State Organization. The State's Schedule reports the status, as of June 30, 2021, for all financial audit findings reported in the 2020 fiscal year Single Audit's "Schedule of Findings and Questioned Costs" and "Summary Schedule of Prior Audit Findings" that were not corrected. The findings are organized by State Organization and finding number (the finding number corresponds to the reference number that was reported in the prior fiscal year). The State's Schedule satisfies the requirements as detailed in Title 2 U.S. Code of Federal Regulations, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Subpart F, Section 511 Audit findings follow-up. If you have any questions regarding this Schedule, please contact our Office.
Sincerely,
Gerlda B. Hines, CPA State Accounting Officer
200 Piedmont Avenue 1604 West Tower Atlanta, Georgia 30334 (404) 656-2133 (404) 463-5089 FAX www.sao.georgia.gov
D-3

STATE OF GEORGIA SUMMARY SCHEDULE OF PRIOR AUDIT FINANCIAL FINDINGS
YEAR ENDED JUNE 30, 2021
TABLE OF CONTENTS

STATE STATE ENTITY1 AGENCY

PAGE NUMBER

FINANCIAL STATEMENT FINDINGS UNDER GOVERNMENT AUDITING STANDARDS
Statewide............................................................................... D-5 405 Department of Public Health............................................... D-5 419 Department of Community Health...................................... D-6 427 Department of Human Services........................................... D-7 440 Department of Labor............................................................ D-7 474 Department of Revenue........................................................ D-9 548 Savannah State University................................................... D-10 927 State Road and Tollway Authority....................................... D-10

1 The entity number represents the control number that was assigned to each State entity. D-4

STATE OF GEORGIA SUMMARY SCHEDULE OF PRIOR AUDIT FINANCIAL FINDINGS
YEAR ENDED JUNE 30, 2021
PRIOR FINANCIAL STATEMENT FINDINGS REPORTED UNDER GOVERNMENT AUDITING STANDARDS

2020-001 Continue to Strengthen Logical Access Controls

State Entity:

Statewide Finding

Repeat of Prior Year Finding: 2019-002

Finding Status: Partially Resolved

While the State Accounting Office (SAO) was able to establish a matrix for segregation of duties for user roles, establish a review process, provide an overview to agency security officers, and address general security concerns, SAO is still in the process of reviewing SAO TeamWorks roles and finalizing the review process. This review was not fully completed due to staff changes and other higher priorities due to the COVID-19 pandemic. SAO anticipates having these established procedures in place by 06/30/2022.

2019-002 Strengthen Logical Access Controls

State Entity:

Statewide Finding

Finding Status: Partially Resolved See response to finding number 2020-001.

2020-002 Improve Financial Reporting Controls

State Entity:

Department of Public Health

Repeat of Prior Year Finding: 2019-003, 2018-003

Finding Status: Previously Reported Corrective Action Implemented

2019-003 Improve Financial Reporting Controls

State Entity:

Department of Public Health

Repeat of Prior Year Finding: 2018-003

Finding Status: Previously Reported Corrective Action Implemented

2018-003 Improve Financial Reporting Controls

State Entity:

Department of Public Health

Finding Status: Previously Reported Corrective Action Implemented

D-5

STATE OF GEORGIA SUMMARY SCHEDULE OF PRIOR AUDIT FINANCIAL FINDINGS
YEAR ENDED JUNE 30, 2021

2017-003 Strengthen Bank Reconciliation Procedures

State Entity:

Department of Public Health

Finding Status: Previously Reported Corrective Action Implemented

2020-003 Continue to Strengthen Financial Reporting Controls

State Entity:

Department of Community Health

Repeat of Prior Year Finding: 2019-005, 2018-005

Finding Status: Previously Reported Corrective Action Implemented

2019-005 Continue to Strengthen Financial Reporting Controls

State Entity:

Department of Community Health

Repeat of Prior Year Finding: 2018-005

Finding Status: Previously Reported Corrective Action Implemented

2018-005 Strengthen Financial Reporting Controls

State Entity:

Department of Community Health

Finding Status: Previously Reported Corrective Action Implemented

2020-004 Continue to Strengthen Application Risk Management Program

State Entity:

Department of Community Health

Repeat of Prior Year Finding: 2019-006, 2018-006

Finding Status: Partially Resolved

Implementation of the previous Corrective Action Plan (CAP) is still in-progress. The Agency has identified and secured the necessary matching State funds along with approved Federal funds required to implement its CAP in order to fully remediate the audit finding by December 31, 2022. As a part of the remediation, the Agency is moving forward with acquiring the identified internal cybersecurity resources and contracted security services required to fully remediate the audit finding within the identified timeframe.
DCH Cybersecurity continues to monitor security compliance through the following: Reviewed and approved the certification Security assessment report and POAM. Currently tracking the remediation of one moderate severity compliance gap. Security and privacy certification was approved by CMS. SSP and POAM was reviewed with GTA OIS. No additional security compliance recommendations were provided by GTA OIS. Working with solution provider to implement a solution for all privileged accounts.

D-6

STATE OF GEORGIA SUMMARY SCHEDULE OF PRIOR AUDIT FINANCIAL FINDINGS
YEAR ENDED JUNE 30, 2021

2019-006 Continue to Strengthen Application Risk Management Program

State Entity:

Department of Community Health

Repeat of Prior Year Finding: 2018-006

Finding Status: Partially Resolved

See response to finding number 2020-004.

2018-006 Continue to Strengthen Application Risk Management Program

State Entity:

Department of Community Health

Finding Status: Partially Resolved

See response to finding number 2020-004.

2020-005 Strengthen Logical Access Controls

State Entity:

Department of Human Services

Finding Status: Previously Reported Corrective Action Implemented

2020-006 Strengthen Information Technology General Controls

State Entity:

Department of Human Services

Finding Status: Partially Resolved

The general database settings are partially resolved. One of the items required additional testing prior to being promoted to the Production environment. The change will be applied to the Production environment by 4/30/2022. Additionally, the general database setting will be reviewed quarterly, and evidence of review completion stored electronically.

2020-007 Strengthen Logical Access Controls

State Entity:

Department of Labor

Finding Status: Partially Resolved

The Corrective Action Plan has been implemented as originally scheduled. Going forward the Information Technology division will continue to follow established user access reviews and enhance the current annual transaction access review process. We will continue to collaborate with business units to design more specific roles to align more closely with each user's role and daily tasks as appropriate.

D-7

STATE OF GEORGIA SUMMARY SCHEDULE OF PRIOR AUDIT FINANCIAL FINDINGS
YEAR ENDED JUNE 30, 2021

2020-008 Improve Controls over the Identification and Recording of Overpayments

State Entity:

Department of Labor

Finding Status: Partially Resolved

The system is now in place to track and establish CARES Act overpayments. The list used to maintain a record prior to implementation is processed daily by staff to enter overpayments pending establishment. ETA 227 amended reports will be submitted for first impacted period through the current period at the time of implementation. ETA 902P amended reports will be updated appropriately going forward as overpayments are identified and recorded. Since the original response, Georgia has also taken the following actions:
Implemented identity verification for all PUA claimants who received a payment after 12/27/20 as outlined in UIPL 28-20, Change 1 and Change 2.
All claims filed must complete identity verification effective 5/26/21 before their claim can be processed and eligibility determined.
We have added additional staff in our UI Integrity Unit to investigate suspicions of fraud due to identity theft and the Overpayment Unit to investigate indications of overpayments and/or fraud related to matters not originated from identity theft. For example, returning to work and not reporting earnings.
The administration that oversees the overpayment activities instituted a requirement for unit management to utilize Recover Dashboard (tool for tracking and billing overpayment recoveries) adhoc reports to monitor unit and staff workload.

Programming to create overpayments and issue determinations for federal programs was implemented in February 2021. Automated processes have also been implemented for supplemental payments to be established appropriately when the parent UI payment is determined overpaid.
Georgia plans to take the following actions to address the auditor's recommendations: The vendor handling our overpayments, and GDOL's Information Technology (IT) personnel are working together to implement any remaining system modifications needed to support the identification, tracking and reporting of overpayments associated with the CARES Act UI programs. Workforce Statistics & Economic Research (WS&ER) will develop a process to perform overpayment system reconciliation at the time the ETA227 and 902 reports are being prepared to greatly reduce and/or eliminate reconciliation issues at year end. GDOL's Finance Department will record an allowance appropriate for uncollectible overpayments in accordance with the financial with overpayment generated data from the CICS Host system. Program controls were in place prior to the pandemic and continued to be employed and applied to federal programs which included flagging claims indicating improper or potentially fraudulent payments for investigation.

D-8

STATE OF GEORGIA SUMMARY SCHEDULE OF PRIOR AUDIT FINANCIAL FINDINGS
YEAR ENDED JUNE 30, 2021

2020-009 Improve Controls over the Year-End Accruals Process

State Entity:

Department of Labor

Finding Status: Partially Resolved

GDOL is committed to work with the SAO and DOAA to determine the best method for generating estimates needed for future potential accrual entries for federal UI programs. Any estimate would need to be both materially accurate and readily auditable.

2020-010 Strengthen Financial Reporting Controls

State Entity:

Department of Revenue

Finding Status: Previously Reported Corrective Action Implemented

2020-011 Continue to Strengthen Logical Access Controls

State Entity:

Department of Revenue

Repeat of Prior Year Finding: 2019-009

Finding Status: Partially Resolved

Documenting and implementing a user access review process for the server environment and current users' application roles to determine whether users' access continues to be appropriate based on job responsibilities.
Corrective Action taken is for the next review ensure that there is no inappropriate access "to any server hosting certain applications". A review process is being worked on now that the certain infrastructure has moved. Estimated date to have this completed February 28, 2022.
A work item will be systematically created twice a year which will be auto-assigned to any user with employees in certain applications. Work item lists all employees and their access and cannot be closed until all employees have been marked as reviewed and approved. Any access not approved will require supervisor to follow current process of submitting security case to change access. Corrective action taken that will fully resolve is the automated work item process that was implement in July 2020.

Documenting and implementing procedures for reviewing privileges assigned to application roles to determine whether proper segregation of duties exist and are enforced within the system.

D-9

STATE OF GEORGIA SUMMARY SCHEDULE OF PRIOR AUDIT FINANCIAL FINDINGS
YEAR ENDED JUNE 30, 2021

2020-011 Continue to Strengthen Logical Access Controls (continued) The application "version" provides the ability to overhaul the security and truly provide a role based and least privilege security model. This version will allow the opportunity to do a complete review of functions within the roles/groups. The estimated date for having this completely resolved with the version upgrade is Fall of 2022.
Removing the additional inappropriate user access identified within the application. Resolved.
Correcting the configuration of the roles that allowed access to enter and approve the annual interest rate associated with past due accounts within the system. Resolved.

2019-009 Strengthen Logical Access Controls

State Entity:

Department of Revenue

Finding Status: Partially Resolved

See response to finding number 2020-011

2020-012 Internal Controls Over Financial Reporting

State Entity:

Savannah State University

Finding Status: Unresolved

Savannah State University's corrective action plan consists of both hiring additional accounting staff and the replacement of some existing staff. Savannah State University recently hired new leadership within the Business and Financial Affairs area with the hiring of a new Vice President for Business and Financial Affairs. The VPBFA has a Master's in Accounting and over 12 years of financial reporting experience in Higher Education. In addition, the University is also in the process of hiring a new Controller to assist with the establishment of new internal controls. Over the next fiscal year, the University will ensure that all accounts are reconciled and that the financial statements have sufficient substantiation. This will be fully resolved by June 30, 2022.

2018-014 Improve Controls over Financial Reporting

State Entity:

State Road and Tollway Authority

Repeat of Prior Year Finding: 2017-019, 2016-025

Finding Status: Partially Resolved

D-10

STATE OF GEORGIA SUMMARY SCHEDULE OF PRIOR AUDIT FINANCIAL FINDINGS
YEAR ENDED JUNE 30, 2021

2018-014 Improve Controls over Financial Reporting (continued) Currently and going forward, the action of the State Road and Tollway Authority is to develop and ensure the usage of fundamental accounting principles and best practice guidance, as well as provide adequate staffing, towards the effort of maintaining accurate and timely accounting data. In FY 2021, additional staff has been hired to aide in the efforts of improving accounting data recordkeeping and reduce the reliance of correction entries and post-closing adjustments. The installation of process governance and month-end/yearend closing checklists provides assurance that proper procedural steps are being actively followed and key chartfield data, such as fund, funding source, project, etc., is recorded correctly in the State's Financial System. Performing monthly reconciliations, routine training of staff on financial system competencies, and reviews of account and other key data factors have been implemented and are being practiced routinely.
By improving accounting data recordkeeping and account ledger maintenance, a timely and accurate financial data set needed for the basis/foundation will be available to prepare and report timely and accurate financial statements. This will put the Authority in the best place it can be to improve and solidify the financial statement preparation process. In addition, SRTA has partnered with the State Accounting Office to implement a new tool for financial reporting that is mapped to the State's Financial System.
The State Road and Tollway Authority has also implemented a formal user access review process to ensure that appropriate staff have access to the transportation and tolling system and their roles are assigned correctly.
SRTA is striving to use all resources available to assist with accounting record keeping efforts and controls.
Staff turnover, migration to a new financial system beginning in Fiscal year 2019, and complications generated by the COVID-19 pandemic have created obstacles the Authority's ultimate goal of internal control practices. The authority continues to strive to meet and exceed the stated goals in this finding and will continue its efforts to improve.

2017-019 Improve Controls over Financial Reporting

State Entity:

State Road and Tollway Authority

Repeat of Prior Year Finding: 2016-025

Finding Status: Partially Resolved

See response to finding number 2018-014.

2016-025 Improve Controls over Financial Reporting

State Entity:

State Road and Tollway Authority

Finding Status: Partially Resolved

See response to finding number 2018-014.

D-11