*This report was replaced in its entirety by the Secretary of Finance on November 3, 2023.

In 2023, the Department of Accounts (DOA), with the assistance of a third-party, conducted a second-year risk assessment of executive branch agency internal controls for federal funds. The risk assessment relied upon existing data and documentation and was limited in scope to the Coronavirus Relief Funds (CRF) from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), and the State and Local Fiscal Recovery Funds (SLFRF) from the American Rescue Plan Act (ARPA). (*1) While there are additional federal regulations for other pandemic funding that are not applicable to the CFR and SLFRF, this risk assessment does not address all federal compliance requirements.

Through this high-level review, the assessment concluded that executive branch agencies have adequate internal control over federal funds. Such practices include: the ARMICS self-assessment process that evaluates agency internal control, aided by DOA's standardized guidance and tools; the Department of Planning and Budget’s (DPB’s) review of project eligibility and agency attestations of compliance; and DOA-hosted SLFRF trainings and ARPA reporting system, facilitating compliance with Treasury requirements. Additionally, agencies generally rely on comprehensive grant management systems to ensure compliance and maintain transparent project documentation.

However, a lack of portfolio-level oversight and centralized data systems leads to inherent challenges of managing and tracking the funds at a Commonwealth-wide level. The current decentralized system makes a review of agency-level controls difficult due to the lack of real-time visibility into agency activities.

Specific potential gaps in the Commonwealth’s current state of internal control over federal funds are:

• Inherent risks arise from Virginia's decentralized federal funds management approach. These include a lack of real-time visibility into agency internal control activities for federal funds, reliance on self-assessments, reliance on self-reported data, and dependence on agencies to respond to audit and/or other requests appropriately and in a timely manner;

• Lack of knowledge transfer and cross-training can impact agency-level control over funds and can impact accuracy and timeliness of reporting;

• Consistent implementation and validation of IT-related control activities by agency management are essential for safeguarding sensitive information;(*2) and

• The current Library of Virginia’s records retention schedule notes that records relating to federal grant money should be maintained for three years(*3) after project completion, while SLFRF requirements are five years.

The remainder of this report details the analysis performed as part of this risk assessment.
_________________________________________________
(*1) The CRF and SLFRF were appropriated among agencies via Item 479.10, Chapter 56, 2020 Acts of Assembly Special Session I, Item 479.20, Chapter 1, 2022 Acts of Assembly Special Session I, Item 486, Chapter 2, 2022 Acts of Assembly Special Session I, Item 486.10, Chapter 769, 2023 Acts of Assembly, and Item 486, Chapter 1, 2023 Acts of Assembly Special Session I.
(*2) IT controls are relevant for federally funded projects where agencies are upgrading or implementing new systems or when they are collecting sensitive data.
(*3) GS-102 (virginia.gov)