The University of California at Riverside's Pilot Payroll Certification System Did Not Provide Accountability Over Payroll Charges to Federal Awards
The University of California at Riverside's (the University) prior effort-reporting system did not always provide the information needed to confirm that payroll costs had been appropriately allocated to Federal awards, and its current payroll certification system pilot (pilot PCS) provided less accountability over payroll charges to Federal awards than its prior effort-reporting system. Effort reporting is a person-based methodology that allocates each employee's reasonable estimate of time worked on all awards and other activities. Specifically, the pilot PCS did not comply with requirements of Circular A-21 and, as designed, limited the ability of the University and the Department of Health and Human Services to provide oversight of these funds. On the basis of our sample, we estimated that the University put at risk $11.7 million in salaries and $5.9 million in associated facilities and administrative costs claimed against National Institutes of Health awards.
Furthermore, the University's information technology (IT) controls for systems used to support the pilot PCS did not always ensure the security of data used to support labor charges. We identified general IT control weaknesses that included unrestricted remote access, inadequate password settings, poor patch management, and expired vendor support. We promptly communicated to the University our preliminary IT findings in advance of issuing our draft report.
We made procedural recommendations that the University increase its accountability over payroll charges to Federal awards. We made further procedural recommendations that the University strengthen its general IT controls for systems it used to support the pilot PCS. The University generally disagreed with our recommendations.
Filed under: General Departmental