Audits, Evaluations and Reviews

For the second year in a row, an independent audit of CNCS’s consolidated Fiscal Year 2018 financial statements resulted in a disclaimer of opinion, the worst possible outcome for a financial statement audit. CNCS did not cure the four material weaknesses and one significant deficiency identified in the FY 2017 audit. This year, the auditors reported six additional material weaknesses and another significant deficiency.

In layman’s terms, the financial statements were unauditable and likely subject to pervasive material errors. CNCS’s financial transaction recording, processing and reporting are not sufficiently reliable to produce reliable financial statements.

Key audit findings were:

• Disclaimer of Opinion: CNCS was unable to provide adequate evidential matter to support a significant number of transactions and account balances due to inadequate processes and controls to support transactions and estimates, and incomplete records to support accounting for transactions in accordance with generally accepted accounting principles. We were unable to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion.
   
• Ten material weaknesses and two significant deficiencies in CNCS’s internal control over financial reporting. These issues included:
   
• • Material Weaknesses:
    
    • Internal Controls Program: The system of internal controls failed to identify numerous and pervasive material weaknesses that the auditors found in financial reporting and in specific material line items on the financial statements;
       
• • • Financial System and Reporting: CNCS’s financial reporting was hindered by limitations in its financial system and the timing and difficulties arising from a system upgrade, insufficient accounting staff and inadequate internal controls;
       
• • • Trust Fund Unpaid Obligations: CNCS significantly overstated its Trust obligation balance and obligated substantially more than is necessary to pay its anticipated liabilities;
       
• • • Trust Service Award Liability: The model used to establish the liability included calculation errors and lacked quality controls, which impair significantly the accuracy of the reported liability;
       
• • • Grants Accrual Payable and Advances: Key assumptions underlying this estimate are not validated and properly documented based on historical data analysis and grantees’ actual spending patterns;
       
• • • Undelivered Orders and Accounts Payable – Procurement: CNCS did not have adequate internal controls to ensure the accuracy of obligated balances and to de-obligate stale and invalid obligations related to contracts and purchase orders;
       
• • • Property and Equipment: CNCS did not timely capitalize its Internal Use Software at interim financial reporting periods;
       
• • • Undelivered Orders – Grants: There were unexplained disparities between various grant and financial management systems within CNCS regarding grant expenditures and grant award amounts; grants were not timely closed-out;
       
• • • Recoveries of Prior Year Obligations: CNCS was unable to provide any documentation to support about one-third of the sampled transactions; and
       
• • • Other Liabilities: CNCS was unable to provide any supporting documentation for approximately $14 million of the $20 million balance reported as of June 30, 2018.
       
• • Significant Deficiencies:
     
    • Information Technology Security Controls: There were new and continued control weaknesses in the information security program that need to be addressed in configuration management, access control and security management; and
       
• • • Accounts Receivable and Allowance for Doubtful Accounts: CNCS did not follow its Debt Management Policy by writing off Accounts Receivable items delinquent for two years or more.

We made 70 recommendations to CNCS. The recommendations include immediate corrective actions to address pervasive material weaknesses and significant deficiencies.

CNCS responds that it “does not entirely concur” with the findings and recommendations, but does not specify its disagreements or the basis for them. CNCS provides various reasons and explanations for the difficulties that it encountered, but the auditors have not audited and cannot validate these explanations.

The independent accounting firm of CliftonLarsonAllen LLP, performed the audit of the CNCS fiscal year 2018 consolidated financial statements, under contract with CNCS-OIG.

For the second year in a row, an independent audit of CNCS’s National Service Trust Fund Fiscal Year 2018 financial statements resulted in a disclaimer of opinion, the worst possible outcome for a financial statement audit. CNCS did not cure the three material weaknesses and one significant deficiency identified in the FY 2017 audit. This year, the auditors reported another new material weakness.

In layman’s terms, the financial statements were unauditable and likely subject to pervasive material errors. CNCS’s financial transaction recording, processing and reporting are not sufficiently reliable to produce reliable financial statements.

Key audit findings were:

• Disclaimer of Opinion: CNCS was unable to provide adequate evidential matter to support a significant number of transactions and account balances due to inadequate processes and controls to support transactions and estimates, and incomplete records to support accounting for transactions in accordance with generally accepted accounting principles. We were unable to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion.
   
• Four material weaknesses and one significant deficiency in CNCS’s internal control over financial reporting. These issues included:
   
• • Material Weaknesses:
    
    • Internal Controls Program: The system of internal controls failed to identify numerous and pervasive material weaknesses that the auditors found in financial reporting and in specific material line items on the financial statements;
       
• • • Financial System and Reporting: CNCS’s financial reporting was hindered by limitations in its financial system and the timing and difficulties arising from a system upgrade, accounting staff turnover, and inadequate internal controls;
       
• • • Trust Fund Unpaid Obligations: CNCS significantly overstated its Trust obligation balance and obligated substantially more than is necessary to pay its anticipated liabilities; and
       
• • • Trust Service Award Liability: The model used to establish the liability included calculation errors and lacked quality controls, which impair significantly the accuracy of the reported liability;
       
• • Significant Deficiency:
    
    • Information Technology Security Controls: There were new and continued control weaknesses in the information security program that need to be addressed in configuration management, access control and security management.

We made 45 recommendations to CNCS. The recommendations include immediate corrective actions to address pervasive material weaknesses and significant deficiency.

CNCS responds that it “does not entirely concur” with the findings and recommendations, but does not specify its disagreements or the basis for them. CNCS provides various reasons aned explanations for the difficulties that it encountered, but the auditors have not audited and cannot validate these explanations.

The independent accounting firm of CliftonLarsonAllen LLP, performed the audit of the CNCS’s National Service Trust Fund FY 2018 financial statements, under contract with CNCS-OIG.

The Corporation for National and Community Service, Office of Inspector General (CNCS-OIG) issued a Management Alert to express our concerns over the following proposed regulatory changes to the Senior Corps Program, which do not appear to have undergone adequate risk assessment prior to the proposed rule-making: (1) Reducing the minimum number of volunteer service hours per week from 15 to 5; and (2) Eliminating the Direct Benefit Ratio or 80/20 Rule, which requires that at least 80 percent of the Federal grant award be expended for volunteer benefits.

CNCS-OIG’s analysis suggests that these two changes may increase certain per-volunteer costs, and simultaneously decrease significantly the service hours delivered to the served communities.  CNCS has not considered these potential financial and programmatic effects, nor has it undertaken a pilot program to identify any other unintended consequences.

We made three recommendations to CNCS, focused on additional analysis and research into potential increased costs and reduction in community service hours.  CNCS’s response did not address the concerns substantively, but said that it would do so as part of the rulemaking process.

The Corporation for National and Community Service, Office of Inspector General (CNCS-OIG) conducted an evaluation of the Volunteers in Service to America (VISTA) program to assess its effectiveness.  CNCS-OIG’s evaluation focused on member activity, project sustainability, and member attrition.

CNCS-OIG found:

• Documentation maintained during the execution of a project does not contain sufficient details to validate member activities are consistent with program purposes or are the same as the planned activities. 
• Project activities did not build capacity or enable projects to be fully sustained following VISTA support in 12 out of 27 organizations reviewed; 
• The VISTA program had an attrition rate of 16.8 percent in the time period evaluated (FY 2014 – 2015), with the primary causes of turnover identified as other employment/financial hardship (80 percent), dissatisfaction with the program (15 percent), and medical issues (5 percent).

Based upon these findings, CNCS-OIG  made 11 recommendations to help CNCS VISTA:

• Enhance the existing monitoring program to provide greater insight into member activity and program effectiveness;
• Develop a standard for capturing the capacity building and measuring sustainability during and after the VISTA project is completed;
• Strengthen the VISTA member experience to improve member retention; and
• Develop and implement a strategy for improving member retention.

CNCS has taken some corrective actions since we issued the draft report.  CNCS-OIG will review CNCS’s status of audit resolutions after CNCS issues its final management decision on the findings and recommendations.

The agreed-upon procedures (AUP) review of AmeriCorps grant funds to SerVermont, Vermont’s State Service Commission and two subrecipients identified questioned Federal costs totaling $122,551, questioned matching costs of $38,746, questioned Education Awards of $40,342 and compliance findings.  The majority of the questioned costs were caused by deficiencies with National Service Criminal History Checks.  The costs tested were incurred between April 15, 2015 and August 31, 2017.

SerVermont concurred that the auditors found noncompliant NSCHCs at the Commission and the two subrecipients but disagreed on the related questioned costs.  The Corporation will resolve the report’s findings and recommendations.

The Corporation for National and Community Service, Office of Inspector General (CNCS-OIG) conducted a review to determine whether the $2.6 million NCCC member recruitment contract is structured to meet the crucial goal of annually filling the 1,200 Traditional NCCC and 1,000 FEMA Corps vacancies with members likely to successfully complete their terms of service.

CNCS-OIG found that:

1. The NCCC recruitment contract places up to $2.6 million at risk;
2. Although the NCCC contract requires the contractor to create and maintain a database of prospective applicants that complies with CNCS cybersecurity and privacy policies and procedures, there is no assurance that the database, in fact, meets Federal and CNCS standards;
3. The contractor failed to demonstrate that it possesses the experience and proof of success specified in the solicitation and necessary for satisfactory performance; and,
4. The CNCS Contracting Officer’s Representative (COR) lacks the requisite recruiting experience and has not exercised sufficient oversight.

Based upon our findings, we recommend that NCCC take the following actions:

1. Decline to exercise the option to continue the recruitment contract in future years;
2. Promptly undertake a new procurement, with clear objectives, statement of work, experience requirements and professional attributes and deliverables. The new contract should be structured as a performance-based contract, with metrics tied to the recruitment of applicants who meet the program criteria, meet the diversity requirements and successfully complete their terms;
3. Assign a COR who has strong recruitment knowledge and experience to effectively manage and oversee this contract;
4. Ensure that the selected contractor demonstrates the requisite past performance, meets all the technically acceptable evaluation criteria and has qualified personnel who all meet the Statement of Work (SOW) requirements; and
5. Provide bidders with the Federal and CNCS detailed cybersecurity requirements, policies and procedures, and have the CNCS information security officer review the bidder’s cybersecurity safeguards to ensure that it has the systems in place to maintain secure databases that meet applicable cybersecurity mandates and protect Personally Identifiable Information.

The Corporation agreed to implement recommendations 1, 4 and 5. With respect to recommendation number 2, while CNCS agreed to procure a new recruitment contract, CNCS committed only to "explore pursuing a performance-based contract” (emphasis added). However, NCCC treats its recruitment strategy as quantitative—increasing the leads that may generate members—and does not intend to include outcome-based qualitative metrics tied to qualifications, diversity and the ability to successfully complete service. The lack of focus on successful enrollment of highly qualified, diverse individuals who fulfill their service obligations creates a substantial risk that the new recruiting contract will be flawed and will not produce the desired program performance outcomes, resulting in additional funds at risk. CNCS also did not concur with CNCS-OIG’s findings and recommendations pertaining to the experience and oversight of its COR.

An agreed-upon procedures (AUP) review of AmeriCorps grant funds to the New Mexico Commission for Community Volunteerism (NMCCV) and two subgrantees during the period of January 1, 2015 through March 31, 2017, identified questioned Federal costs totaling $29,627 and matching costs of $121,996, as well as compliance findings. In addition to the AmeriCorps grants, NMCCV also received a Corporation Training and Technical Assistance grant to provide training and assistance to NMCCV and subgrantee staff.  The majority of the questioned costs were caused by deficiencies in subgrantees’ financial management systems and non-compliance with member living allowance requirements.

NMCCV concurred with most of the findings and recommendations, but disagreed on the finding related to member living allowances and requested an extension to determine the reason for the unsupported costs.  The Corporation will resolve the report’s findings and recommendations.

Despite a continuous focus on improving its Improper Payments Elimination and Recovery Act of 2010 (IPERA) compliance program, the Corporation for National and Community Service (CNCS) remains unable to reliably estimate the amount or the rate of improper payments in the AmeriCorps State and National Program (AmeriCorps), Foster Grandparent Program (FGP), Retired and Senior Volunteer Program (RSVP), and Senior Companion Program (SCP). Specifically, we noted that the improper payments information reported in CNCS’s fiscal year (FY) 2017 Annual Management Report (AMR) is unreliable and incomplete; CNCS therefore did not comply with IPERA.  As in the past, we identified flaws in multiple stages of CNCS’s improper payments assessment process; many of these flaws resulted from insufficient time and personnel to perform the FY 2017 IPERA testing.

CNCS implemented a new alternative sampling methodology in FY 2017, as well as other corrective actions to address findings noted in the FY 2015 IPERA audit report.  As a result of this progress, CNCS has met an additional OMB criterion for IPERA compliance, with two prior audit findings fully resolved in FY 2017.  CNCS’s efforts also reduced the severity of some the issues, which are mainly limited to the sufficiency and adequacy of documentation as of FY 2017.

However, these partial improvements did not substantially improve CNCS’s IPERA compliance, as CNCS did not meet four of the six OMB IPERA compliance criteria.  Specifically, we identified the following compliance issues and other matters, all of which are recurring from the prior years:

• CNCS did not properly identify improper payments, and the published improper payment estimates are not       statistically valid, complete, or accurate.  Specifically, we noted significant errors in CNCS’s sampling selection for its stratified sample and found that CNCS did not always follow, or document how it followed, its OMB-approved alternative sampling methodology.
• CNCS did not fully comply with the IPERA risk assessment requirements, as it did not maintain documentation to support that it had performed additional procedures to verify that the FY 2015 risk assessment results were still valid for FY 2017.
• CNCS did not meet its annual improper payment reduction targets for AmeriCorps, as the actual improper payment error rate reported was nearly twice the reduction target rate.
• CNCS published an improper payment estimate that was greater than the acceptable threshold for IPERA compliance, or 10 percent, for three of its four programs (i.e., AmeriCorps, FGP, and SCP).

Our report also notes other matters relating to CNCS’s ability to reduce and recapture improper payments, as follows:

• CNCS did not adequately report on high-dollar over-payments, as it did not specify the risk-susceptible programs subject to high-dollar over-payments included in its report.
• CNCS did not complete a cost-benefit assessment for payment recapture audits.
• CNCS did not complete the reporting required as a result of its programs not complying with IPERA for three consecutive fiscal years.

The Mayor's Fund to Advance New York City (Mayor's Fund) served as the intermediary (i.e., the prime grantee) for a Social Innovation Fund (SIF) grant from CNCS totaling approximately $28.5 million for the period from August 1, 2010 to July 31, 2015.  The Mayor's Fund divided its responsibilities among itself, the Center for Economic Opportunity (CEO) and MDRC, a non-profit, nonpartisan social and education policy research firm. Ultimately, the Mayor's Fund subawarded $25.8 million in SIF funds to 19 subgrantees.

CNCS-OIG questioned more than $4.6 million based upon an audit of the costs incurred by the Mayor's Fundand three of its subgrantees: the Children's Aid Society, the Henry Street Project, and Madison Strategies Group (Madison), for the period from July 1, 2012,to June 30, 2015. The majority of these question costs flow from two findings: (1) MDRC's failure to conduct criminal history checks for its 165 staff members who were paid with SIF funds; and (2) a decision by the Mayor's Fund to award a subgrant to Madison, an unqualified organization with a substantial conflict of interest.

CNCS was apparently unaware of either of these problems, which we detail in this report.

An agreed-upon procedures (AUP) review of AmeriCorps grant funds to the Kentucky Commission on Community Volunteerism and Service (KCCVS) and two subgrantees during the period of January 1, 2013 - September 1, 2016, identified questioned costs totaling $851,954, as well as compliance findings.

Most of the questioned costs resulted from deficiencies in the procedures used by KCCVS and its subgrantees to perform criminal history checks, including failure to perform the checks for grant-funded staff, and incomplete or insufficient criminal history checks for AmeriCorps members by subgrantees.  Other deficiencies related to: (1) inadequate monitoring of subgrantees’ compliance with program requirements, to include evaluations and member service agreements; (2) unapproved remote service and service activities not in accordance with subgrant objectives; (3) Improper use of program income; and (4) inadequate support of cost share.

KCCVS concurred with most of the compliance findings but not the amounts questioned. The Corporation will resolve the report’s findings and recommendations.

CNCS has devoted significant resources to improving cybersecurity over the past few years, with meaningful progress.  Although its information security program is not yet sufficiently mature, it can reach effectiveness with continued effort and investment.

Achieving effectiveness will require attention to weaknesses that pose significant risks to information security.  Our 2017 evaluation found inadequacies in risk management, configuration management, identity and access management, information security continuous monitoring, and contingency planning.  Enforcement of information security is inconsistent across the enterprise, with field components remaining especially vulnerable. These continuing vulnerabilities leave CNCS operations and assets at risk of unauthorized access, misuse and disruption. Our report offers 34 recommendations to address the identified weaknesses and assist CNCS in strengthening its information security program.  Eight of the recommendations relate to prior findings that have not been completely addressed by CNCS. 

The CNCS OIG contracted with CLA, LLP to review the controls put into place by the CNCS OIT to secure three internal web applications and associated infrastructure resulting in five recommendations. The objectives were to assess and report any risks that could lead to information technology security incidents, recommend improvements in the operations of the information systems, and identify gaps between the Corporation's current information security posture and industry best practices. CLA found critical application vulnerabilities, missing patches and unsupported software, incorrect documentation, and configuration weaknesses. CLA recommended that CNCS improve its patching effectiveness, update unsupported software, fully remediate configuration weaknesses and noted vulnerabilities, practice secure coding, and update its documentation.

We issued a disclaimer of opinion on the audit the National Service Trust Fund financial statements (Trust financial statements) as of September 30, 2017 and for the year then ended.  CNCS was unable to provide adequate evidential matter to support a significant number of transactions and account balances due to inadequate processes and controls to support transactions and estimates, and incomplete records to support transactions in accordance with generally accepted accounting principles. Auditors were unable to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion (disclaimer).

We issued a disclaimer of opinion on the consolidated financial statements of the Corporation for National and Community Service (CNCS) as of September 30, 2017 and for the year then ended. Key audit findings were:

• CNCS was unable to provide adequate evidential matter to support a significant number of transactions and account balances due to inadequate processes and controls to support transactions and estimates, and incomplete records to support transactions in accordance with generally accepted accounting principles. Auditors were unable to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion (disclaimer);
• Four material weaknesses (Financial Reporting; Trust Fund Unpaid Obligations; Trust Service Award Liability Model; Grants Accrual Payable and Advance) and one significant deficiency (Information Technology Security Controls) in CNCS’s internal control over financial reporting;
• No instances of noncompliance with applicable provisions of laws, regulations, contracts, and grant agreements.

Had the scope of the auditors work been sufficient to enable them to express an opinion on the CNCS consolidated financial statements, other material weaknesses or significant deficiencies, or noncompliance or other matters may have been identified and reported.

CNCS did not fully comply with the DATA Act due to weaknesses in its existing financial reporting system (internal control over source systems) and internal control weaknesses within financial reporting, data management, and data reporting processes.  CNCS did not submit complete, timely, quality, and accurate financial and award data for the FY 2017 second quarter.  The Corporation continues to grapple with the implementation challenges previously reported in the readiness review, as well as new challenges identified by this performance audit.