U.S. Department of Health and Human Services Met the Requirements of the Digital Accountability and Transparency Act of 2014, but Key Areas Require Improvement

Ernst & Young (EY), under its contract with the HHS Office of Inspector General (OIG), audited the second quarter for fiscal year (FY) 2017 to determine HHS's compliance with the Digital Accountability and Transparency Act (DATA Act; P.L. No. 113-101) and related guidance.

EY determined HHS met the requirements of the DATA Act, but areas for improvement remained. EY determined that HHS met the second-quarter reporting deadline; the submitted data materially met the requirements for timeliness, accuracy, completeness and quality; HHS performed reconciliations of data not submitted in accordance with the DATA Act; and the differences were investigated, explanations provided, and corrective action plans developed to eliminate the cause of the differences.

EY identified areas that HHS should focus on improving. EY noted certain deficiencies related to the information technology environment associated with segregation of duties and access controls. EY also noted that HHS continued its ongoing data cleanup as part of its Office of Finance's data standardization efforts. In the absence of the Oracle patches to map data elements directly from feeder award systems to the Unified Financial Management System, the Healthcare Integrated General Ledger System, and the National Institutes of Health Business Systems, HHS developed an interim solution to meet the second quarter FY 2017 DATA Act submission requirement. The solution relied on manual processes to collect data from multiple owners and systems. EY noted that HHS did not have formal documentation of the universe of its control procedures, including the requirements for reconciliations and validations, in place before providing the second-quarter FY 2017 DATA Act submission.

We reviewed EY's audit of HHS's compliance with the DATA Act by (1) evaluating the independence, objectivity, and qualifications of EY auditors and specialists; (2) reviewing the approach and planning of the audit; (3) attending key meetings with auditors and CMS officials; (4) monitoring the progress of the audit; (5) examining audit documentation; and (6) reviewing the auditors' report.

EY is responsible for the attached report and the conclusions expressed in the report. Our monitoring review of EY's audit, as differentiated from an audit in accordance with generally accepted government auditing standards, was not intended to express, and we do not express, an opinion on HHS's compliance with the DATA Act. Our monitoring review disclosed no instances in which EY did not comply in all material respects with generally accepted government auditing standards.