Texas Single Audit FY2025: Inappropriate Privileged Access to Federal Awards System
Summary
The SSA OIG reported findings from the single audit of the State of Texas for FY2025, identifying that 2 of 17 HHSC user accounts in the State's centralized accounting system had been inappropriately granted Administrator role access providing elevated privileges beyond assigned duties. The finding represents a significant control deficiency under federal awards requirements. HHSC has removed the access and committed to establishing documented quarterly reviews of user accounts and audit logs. SSA has until September 18, 2026 to issue a management decision letter.
“Improper assignment of elevated access increases the risk of (1) unauthorized changes to system configuration, accounting rules, or financial data; (2) data modification or exposure, including information related to Federal program expenditures; and (3) bypassed compensating controls intended to maintain data integrity and separation of duties.”
State agencies receiving federal awards and operating centralized financial systems should review this finding as a control benchmark: inadequate privileged access controls in accounting systems create risk of unauthorized changes to financial data and federal program expenditures. The specific vulnerability here — users granted Administrator roles beyond their assigned duties — is detectable through regular access certification reviews. HHSC's corrective commitment to quarterly documented reviews with business justification provides a replicable control model.
What changed
The SSA OIG transmitted a single audit finding from CliftonLarsonAllen LLP's audit of the State of Texas for FY2025, identifying that two user accounts in the Health and Human Services Commission's centralized accounting system had been granted Administrator role access beyond their assigned duties. The improper access existed because system controls did not limit access or require regular certification. HHSC has since removed the access and committed to documented quarterly reviews, approval processes, and periodic re-validation of elevated roles.
State agencies that receive federal awards under SSA listing number 96 and operate centralized financial systems should review their user access controls and privileged access review processes. While this finding does not carry a direct monetary penalty, the underlying control deficiency creates exposure to unauthorized changes to financial data and federal program expenditure records. SSA's management decision on this finding is due by September 18, 2026.
Archived snapshot
Apr 20, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
MEMORANDUM
April 14, 2026 772629 Date: Refer To: Amy Gao To: Director Audit Liaison Staff Michelle L. Anderson From: Assistant Inspector General for Audit Single Audit of the State of Texas for the Fiscal Year Ended August 31, 2025 Subject:
This memorandum presents the Social Security Administration's (SSA) portion of the single
audit of the State of Texas for the Fiscal Year ended August 31, 2025. The audit firm 1CliftonLarsonAllen LLP conducted the audit. Our objective was to report internal control weaknesses, noncompliance issues, and unallowable costs identified in the single audit to SSA for resolution.
BACKGROUND
A single audit is an organization-wide financial statement and Federal awards audit of a non-Federal entity that expends $1 million or more in Federal funds in 1 year. It is intended to assure the Government that the non-Federal entity has adequate internal controls in place and is generally complying with program requirements. Non-Federal entities typically include state and local governments, Indian tribes, universities, and nonprofit organizations. For single audit purposes, the General Services Administration maintains a list of all Federal programs in the Federal Assistance Listing. SSA's Disability Insurance and Supplemental Security Income programs are identified under listing number 96. SSA is responsible for resolving single audit findings reported under this listing number. The Texas Disability Determination Services (DDS) performs disability determinations under
SSA's Disability Insurance and Supplemental Security Income programs in accordance with
Federal regulations. SSA reimburses the DDS for 100 percent of allowable costs. The Health and Human Services Commission (HHSC) is the Texas DDS' parent agency.
CliftonLarsonAllen LLP, State of Texas Federal Portion of the Statewide Single Audit Report for the Year Ended 1
August 31, 2025 (February 20, 2026).
Page 2 | Amy Gao
RESULTS
The single audit found that 2 of 17 HHSC user accounts in the State's centralized accounting, payroll, and financial system had been inappropriately granted access to the Administrator role. This role provides elevated privileges beyond the users' assigned duties and should be restricted to authorized system administrators only. The users obtained administrative privileges because the system's controls did not limit access or regularly certify users' access. Improper assignment of elevated access increases the risk of (1) unauthorized changes to system configuration, accounting rules, or financial data; (2) data modification or exposure, including information related to Federal program expenditures; and (3) bypassed compensating controls intended to maintain data integrity and separation of duties. HHSC management removed access; however, the presence of improper access before remediation represents a significant control deficiency. 2 In response to the single audit finding, HHSC indicated it uses software to monitor and log user activities and maintain documentation of approvals and business justifications. HHSC stated it will maintain documentation of recurring privileged access reviews across all financial software modules, as appropriate. Additionally, HHSC will establish a documented process to perform quarterly reviews of user accounts and audit logs to strengthen privileged access controls. The review process will include documented approval, business justification, and periodic re-validation of all elevated roles.
RECOMMENDATION
We recommend SSA work with HHSC to ensure it has controls to grant privileged access only to appropriate authorized users. The Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards requires that Federal awarding agencies issue a management decision letter on single audit findings within 6 months of acceptance of the audit report by the Federal Audit Clearinghouse. The Federal Audit Clearinghouse accepted the single audit of the State of Texas on March 18, 2026. If you have questions, contact OIG.Audit.Division.7@ssa.gov.
CliftonLarsonAllen LLP, State of Texas Federal Portion of the Statewide Single Audit Report for the Year Ended 2
August 31, 2025 (February 20, 2026), Finding 2025-003.
Related changes
Get daily alerts for US Social Security OIG
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from SSA OIG.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when US Social Security OIG publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.