Revision 17-1; Effective May 5, 2017
Criteria for Categorizing What Normally Would Be a Low Risk to a High Risk Audit Exception [note applicable explanation/justification]:
- Finding noted during the review; no corrective action plan in place.
- Finding noted in a prior audit; remains uncorrected.
- Total number of findings on a specific low risk item exceeds three. Example: Form H1172, EBT Card, PIN and Data Entry Request, was not signed by the Electronic Benefit Transfer (EBT) clerk on three separate forms.
- Frequency of a specific finding.
- Degree of inaccuracy or missing records (re: forms, logs, etc.).
High Risk
- There was improper or no separation of duties.
- Re: storing and issuing [write in brief description such as: The issuance staff also performed the administrative terminal (AT) reconciliation]. (Security and Accountability Handbook [SAH] 3100)
- Local office staff did not request proper identification from the auditor at the start of the audit. (SAH Appendix VI)
- Unauthorized staff had access to the AT and cards.
- There were no adequate procedures to void and /or account for voided/returned cards/PINs (SAH 4420), may add applicable description as:
- Designated staff did not disable (deactivate) voided/returned cards/PINs on the AT. (SAH 4420)
- Returned cards/PINs were not destroyed properly. (SAH 4420)
- Office did not maintain a void log. (SAH 4410)
- Responsible staff did not void and/or destroy activated cards that were not picked up at the end of the day.
- EBT clerk did not lock daily supply of card when they left their workstation.
- EBT site coordinator did not keep bulk supply of cards in secure locked file cabinets.
- File cabinet keys to bulk/daily supply were not secure. (SAH 2620)
- EBT designated staff failed to lock application/sign off the AT when they left their workstation. (SAH 5400)
- Site coordinator did not resolve discrepancies and/or report shortages in a timely manner. (SAH 2620, 4500)
- There were no adequate review/monitoring procedures in place.
- There was a lack of, or a weakness in, the current review procedures so discrepancies were undetected for _____months. (give a brief description of the discrepancy)
- EBT documents (specify document) were not properly monitored during office visits to ensure compliance with security and accountability. (SAH 2610)
- Reconciliation of AT reports was not occurring daily or was not performed properly. (SAH 5300), may add applicable description such as:
- Site coordinator did not reconcile the AT report with Forms H1172; H1173, EBT Card Issuance and PIN Self-Selection/Issuance Log; H1175, Authorization for Administrative Terminal Application Action; and other appropriate documents.
- Site coordinator did not reconcile AT reports for weekends and holidays.
- Site coordinator did not sign or date the AT report to validate reconciliation.
- There were no adequate procedures for mailing cards. Add applicable description such as:
- Cards were mailed in an active status. (SAH 2620)
- Cards for mailing were left in an unsecured location.
- Office does not log mailed cards. (SAH 4430)
- Cards delivered by Texas Works Advisor (TWA) staff during home visits were not properly documented.
- Site coordinator did not perform a physical inventory of cards monthly.
- Texas Health and Human Services (HHS) issuance staff compromised the security of self-selected PINs. (TWH B-236.1)
- The number of cards for the daily (working) supply did not conform to the Regional Security Plan (RSP) for overnight storage. (SAH 4330, RSP)
Low Risk
- EBT site coordinator did not issue cards to the EBT clerk in numerical order.
- EBT clerk did not issue cards in numerical order.
- EBT site coordinator did not complete or keep Forms H1177, Transmittal and Receipt for Controlled EBT Documents, or an approved regional document. (SAH 2620)
- EBT site coordinator did not prepare or properly complete Forms H1174, Inventory of EBT Cards.
- EBT clerk did not review Form H1172 and/or Form H1175 for accuracy and completeness before issuing a card/PIN packet. (SAH 2640)
- Local office security plan was not updated to reflect current staff and provisions. (SAH 2720), may add description such as:
- EBT site coordinator failed to delete AT permission for an employee [that is no longer involved with EBT issuance] [transferred] [separated from HHS]. (SAH 2620, 5100)
- No signed receipt for delivery of cards and no annotation that shipment was physically counted upon receipt.
- Form H1172 is incomplete, inaccurate or missing. (TWH — Instructions to Form H1172) (add description/specifics)
- Form H1173 is incomplete, inaccurate or missing. (SAH 2620, 2630 and TWH — Instructions to Form H1173) (add description/specifics)
- Card inventory exceeded maximum allowed per security procedures. (SAH 4320, RSP)
- Only one person counted card package received from the vendor. (SAH 4200)
Note: If several errors are noted on the same form, it will only be written as one finding. Other details will be mentioned under that one finding. Example: The "mailed card" box is not checked on Form H1172. Also, the person completing the form failed to date the form. This will be written up as high risk #12d. A statement will be added to the finding addressing the other issue (incomplete form). It will not be written up as both high risk finding #12d and low risk finding #8.