Audit 299417

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

2023 002 Eligibility Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Material Weakness and Noncompliance Criteria: Calculation of Benefits Awards must be coordinated among the various programs and with other federal and nonfederal aid (need and non-need based aid) to ensure that total aid is not awarded in excess of the student’s financial need or cost of attendance (34 CFR 668.42, FWS, and FSEOG, 34 CFR 673.5 and 673.6; Direct Loan, 34 CFR 685.301). The determination of need-based SFA award amounts is based on financial need. Financial need is defined as the student’s cost of attendance (COA) minus the student’s expected family contribution (EFC) (as computed by the central processor and included on the student’s Student Aid Report (SAR)). Once a student is awarded any financial aid, to find remaining financial need one would use the following formula --COA minus EFC minus Estimated Financial Assistance (EFA) (§ 668.2) = remaining need. To avoid overpayments, need-based SFA awards cannot exceed the student’s overall financial need. Non need-based SFA awards are not limited to financial need but cannot exceed the student’s COA. To determine non need-based SFA awards (unsubsidized aid) one would use the following formula – COA minus EFA. For Title IV programs, the COA is generally the sum of the following: tuition and fees; an allowance for books, supplies, transportation, and miscellaneous personal expenses; an allowance for room and board; when applicable, allowances for costs for dependent care; costs associated with study abroad and cooperative education; costs related to disabilities; and fees charged for student loans. There are exceptions for students attending less than halftime, correspondence students, and incarcerated students. The financial aid administrator also has authority to use professional judgment to adjust the COA or alter the data elements used to calculate the EFC on a case-by-case basis to allow for special circumstances. Further, the University must establish and maintain effective internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: We selected forty-three students for testwork who received financial aid disbursements during the year and noted the following: • Two students in our sample were awarded non-need based aid that resulted in the students being awarded in excess of their cost of attendance. After further analysis provided by the University, it was determined that a total of ninety-six students were over-awarded by $437,213. The amount is broken down as follows: fifty-six students were over-awarded and over-disbursed Federal aid totaling $263,522 which is considered a questioned cost, thirty-eight students were over-awarded and over-disbursed institutional aid totaling $165,327 and two students were over-awarded and over-disbursed private loans totaling $8,364. • The cost of attendance for one student in our sample was incorrectly calculated. The University has various cost of attendance calculations for different schools and/or programs of study. For this student’s program of study, certain cost components were doubled resulting in an inflated cost of attendance. The student selected for testwork was not awarded in excess of their correct cost of attendance. After further analysis provided by the University, it was determined that this issue impacted a total of eighty-four students (third year students had an additional 13,930 added to their cost of attendance and fourth year students had a total of $10,845 added to their cost of attendance). Of the eighty-four students, forty-two were over-awarded and over-disbursed Federal aid totaling $449,672 which is considered a questioned cost. The remaining forty-two students were not awarded in excess of their correct cost of attendance. In addition, as noted in finding 2023-001, the general information technology controls over the new Oracle Student Financial Planning (OSFP) system were determined to be ineffective and as such the related downstream key application controls could not be relied upon. Therefore, controls related to this compliance requirement could not be tested. Cause: For the two students awarded in excess of cost of attendance, the additional non-need based aid was awarded to the student and manually applied to the student’s account, which resulted in the cost of attendance to be overridden and the student to be awarded in excess of the student’s cost of attendance. For the one student who had an incorrect cost of attendance calculation, certain cost components were doubled for this program of study when entered in the system for student packaging. Effect: For the first issue noted above, fifty-six students were awarded and disbursed Federal aid in excess of their cost of attendance by $437,213. For the second issue noted above, forty-two students were awarded and disbursed Federal aid in excess of their cost of attendance by $449,672. Questioned Costs: As noted above, questioned costs for the Federal Direct Student Loans totaled $713,194. Recommendation: We recommend that the University implement controls to prevent awards to students in excess of their cost of attendance and to ensure that cost of attendance components are correcly entered into the system prior to packaging. The University should ensure that internal controls implemented are functioning as designed including related information technology controls. Views of Responsible Officials: Management agrees with the finding. The over-awards in the first issue were caused by manual intervention in student packaging when additional financial aid funds were added by staff members. In OSFP, manual awarding overrides the system edits in place to prevent over-awarding from occurring. The aid awarded should have been adjusted downward as to not exceed the total cost of attendance. The second issue was a systemic error for eighty-four students enrolled in the International Dental Program. The script used to build the cost of attendance in OSFP doubled one of the cost components in the 2022-2023 academic year.

2023 002 Eligibility Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Material Weakness and Noncompliance Criteria: Calculation of Benefits Awards must be coordinated among the various programs and with other federal and nonfederal aid (need and non-need based aid) to ensure that total aid is not awarded in excess of the student’s financial need or cost of attendance (34 CFR 668.42, FWS, and FSEOG, 34 CFR 673.5 and 673.6; Direct Loan, 34 CFR 685.301). The determination of need-based SFA award amounts is based on financial need. Financial need is defined as the student’s cost of attendance (COA) minus the student’s expected family contribution (EFC) (as computed by the central processor and included on the student’s Student Aid Report (SAR)). Once a student is awarded any financial aid, to find remaining financial need one would use the following formula --COA minus EFC minus Estimated Financial Assistance (EFA) (§ 668.2) = remaining need. To avoid overpayments, need-based SFA awards cannot exceed the student’s overall financial need. Non need-based SFA awards are not limited to financial need but cannot exceed the student’s COA. To determine non need-based SFA awards (unsubsidized aid) one would use the following formula – COA minus EFA. For Title IV programs, the COA is generally the sum of the following: tuition and fees; an allowance for books, supplies, transportation, and miscellaneous personal expenses; an allowance for room and board; when applicable, allowances for costs for dependent care; costs associated with study abroad and cooperative education; costs related to disabilities; and fees charged for student loans. There are exceptions for students attending less than halftime, correspondence students, and incarcerated students. The financial aid administrator also has authority to use professional judgment to adjust the COA or alter the data elements used to calculate the EFC on a case-by-case basis to allow for special circumstances. Further, the University must establish and maintain effective internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: We selected forty-three students for testwork who received financial aid disbursements during the year and noted the following: • Two students in our sample were awarded non-need based aid that resulted in the students being awarded in excess of their cost of attendance. After further analysis provided by the University, it was determined that a total of ninety-six students were over-awarded by $437,213. The amount is broken down as follows: fifty-six students were over-awarded and over-disbursed Federal aid totaling $263,522 which is considered a questioned cost, thirty-eight students were over-awarded and over-disbursed institutional aid totaling $165,327 and two students were over-awarded and over-disbursed private loans totaling $8,364. • The cost of attendance for one student in our sample was incorrectly calculated. The University has various cost of attendance calculations for different schools and/or programs of study. For this student’s program of study, certain cost components were doubled resulting in an inflated cost of attendance. The student selected for testwork was not awarded in excess of their correct cost of attendance. After further analysis provided by the University, it was determined that this issue impacted a total of eighty-four students (third year students had an additional 13,930 added to their cost of attendance and fourth year students had a total of $10,845 added to their cost of attendance). Of the eighty-four students, forty-two were over-awarded and over-disbursed Federal aid totaling $449,672 which is considered a questioned cost. The remaining forty-two students were not awarded in excess of their correct cost of attendance. In addition, as noted in finding 2023-001, the general information technology controls over the new Oracle Student Financial Planning (OSFP) system were determined to be ineffective and as such the related downstream key application controls could not be relied upon. Therefore, controls related to this compliance requirement could not be tested. Cause: For the two students awarded in excess of cost of attendance, the additional non-need based aid was awarded to the student and manually applied to the student’s account, which resulted in the cost of attendance to be overridden and the student to be awarded in excess of the student’s cost of attendance. For the one student who had an incorrect cost of attendance calculation, certain cost components were doubled for this program of study when entered in the system for student packaging. Effect: For the first issue noted above, fifty-six students were awarded and disbursed Federal aid in excess of their cost of attendance by $437,213. For the second issue noted above, forty-two students were awarded and disbursed Federal aid in excess of their cost of attendance by $449,672. Questioned Costs: As noted above, questioned costs for the Federal Direct Student Loans totaled $713,194. Recommendation: We recommend that the University implement controls to prevent awards to students in excess of their cost of attendance and to ensure that cost of attendance components are correcly entered into the system prior to packaging. The University should ensure that internal controls implemented are functioning as designed including related information technology controls. Views of Responsible Officials: Management agrees with the finding. The over-awards in the first issue were caused by manual intervention in student packaging when additional financial aid funds were added by staff members. In OSFP, manual awarding overrides the system edits in place to prevent over-awarding from occurring. The aid awarded should have been adjusted downward as to not exceed the total cost of attendance. The second issue was a systemic error for eighty-four students enrolled in the International Dental Program. The script used to build the cost of attendance in OSFP doubled one of the cost components in the 2022-2023 academic year.

2023 003 Reporting (Financial) Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Material Weakness and Noncompliance Criteria: SFA – Title IV Programs Institutions submit Direct Loan, Pell Grant, TEACH Grant, and IASG origination records and disbursement records to the Common Origination and Disbursement (COD) system. Origination records can be sent well in advance of any disbursements, as early as the institution chooses to submit them for any student the institution reasonably believes will be eligible for a payment. An institution follows up with a disbursement record for that student no earlier than (1) seven calendar days prior to the disbursement date under the Advance or Heightened Cash Monitoring 1 payment methods, or (2) the date of the disbursement under the Reimbursement or Heightened Cash Monitoring 2 Payment Method (see Federal Register, Volume 86, Number 119, June 24, 2021). The disbursement record reports the actual disbursement date and the amount of the disbursement. ED processes origination and/or disbursement records and returns acknowledgments to the institution. The acknowledgments identify the processing status of each record: Rejected, Accepted with Corrections, or Accepted. In testing the origination and disbursement data, the auditor should be most concerned with the data ED has categorized as accepted or accepted with corrections. Institutions must report student disbursement data within 15 calendar days after the institution makes a disbursement or becomes aware of the need to make an adjustment to previously reported student disbursement data or expected student disbursement data. Institutions may do this by reporting once every 15 calendar days, bi-weekly or weekly, or may set up their own system to ensure that changes are reported in a timely manner. Key items to test on origination records, if applicable, are: Social Security number, award amount, enrollment date, verification status code (when the applicant is selected for verification), transaction number, cost of attendance, and the “Academic Start Date” and “Academic End Date”. Key items to test on disbursement records are disbursement date and amount. Further, the University must establish and maintain effective internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: During our testing of the key items on the origination records, we noted the following: • For twenty of the twenty Pell disbursements selected for testwork, the cost of attendance did not agree between University records and the COD system. • For twenty-seven out of the forty-one Direct Loan disbursements selected for testwork, the cost of attendance did not agree between University records and the COD system. • For fourteen of the twenty Pell disbursements selected for testwork, the enrollment date did not agree between University records and the COD system. • For thirty of the forty-one Direct Loan disbursements selected for testwork, the academic start date did not agree between University records and the COD system. In addition, as noted in finding 2023-001, the general information technology controls over the new Oracle Student Financial Planning (OSFP) system were determined to be ineffective and as such the related downstream key application controls could not be relied upon. Therefore, controls related to this compliance requirement could not be tested. Cause: Related to cost of attendance, the incorrect cost of attendance was sent to the COD system due to a system error that existed in the system prior to fiscal year 2024 causing the incorrect cost of attendance to be transmitted to COD. Related to academic start date for the Direct Loan transactions and enrollment date for the Pell transactions, the prior year academic start date was rolled forward for fiscal year 2023, however the first day of classes was not updated. Effect: The cost of attendance and academic start date was reported incorrectly in COD for these students. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed. Recommendation: We recommend that the University ensure that the correct cost of attendance and academic start dates are reported to COD for each student. Views of Responsible Officials: Management agrees with the finding. The incorrect cost of attendance that was reported to COD was the result of a system defect which was reported to OSFP in September of 2023 when a staff member noticed a data mismatch between the University cost of attendance data and COD. OSFP corrected the defect, and the data has been correctly reported since November 23, 2023. The incorrect start date was the result of rolling over the 2021-2022 prior year dates during system start-up. In finalizing the dates for production, the start date year was properly updated but the start day was not updated correctly.

2023 003 Reporting (Financial) Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Material Weakness and Noncompliance Criteria: SFA – Title IV Programs Institutions submit Direct Loan, Pell Grant, TEACH Grant, and IASG origination records and disbursement records to the Common Origination and Disbursement (COD) system. Origination records can be sent well in advance of any disbursements, as early as the institution chooses to submit them for any student the institution reasonably believes will be eligible for a payment. An institution follows up with a disbursement record for that student no earlier than (1) seven calendar days prior to the disbursement date under the Advance or Heightened Cash Monitoring 1 payment methods, or (2) the date of the disbursement under the Reimbursement or Heightened Cash Monitoring 2 Payment Method (see Federal Register, Volume 86, Number 119, June 24, 2021). The disbursement record reports the actual disbursement date and the amount of the disbursement. ED processes origination and/or disbursement records and returns acknowledgments to the institution. The acknowledgments identify the processing status of each record: Rejected, Accepted with Corrections, or Accepted. In testing the origination and disbursement data, the auditor should be most concerned with the data ED has categorized as accepted or accepted with corrections. Institutions must report student disbursement data within 15 calendar days after the institution makes a disbursement or becomes aware of the need to make an adjustment to previously reported student disbursement data or expected student disbursement data. Institutions may do this by reporting once every 15 calendar days, bi-weekly or weekly, or may set up their own system to ensure that changes are reported in a timely manner. Key items to test on origination records, if applicable, are: Social Security number, award amount, enrollment date, verification status code (when the applicant is selected for verification), transaction number, cost of attendance, and the “Academic Start Date” and “Academic End Date”. Key items to test on disbursement records are disbursement date and amount. Further, the University must establish and maintain effective internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: During our testing of the key items on the origination records, we noted the following: • For twenty of the twenty Pell disbursements selected for testwork, the cost of attendance did not agree between University records and the COD system. • For twenty-seven out of the forty-one Direct Loan disbursements selected for testwork, the cost of attendance did not agree between University records and the COD system. • For fourteen of the twenty Pell disbursements selected for testwork, the enrollment date did not agree between University records and the COD system. • For thirty of the forty-one Direct Loan disbursements selected for testwork, the academic start date did not agree between University records and the COD system. In addition, as noted in finding 2023-001, the general information technology controls over the new Oracle Student Financial Planning (OSFP) system were determined to be ineffective and as such the related downstream key application controls could not be relied upon. Therefore, controls related to this compliance requirement could not be tested. Cause: Related to cost of attendance, the incorrect cost of attendance was sent to the COD system due to a system error that existed in the system prior to fiscal year 2024 causing the incorrect cost of attendance to be transmitted to COD. Related to academic start date for the Direct Loan transactions and enrollment date for the Pell transactions, the prior year academic start date was rolled forward for fiscal year 2023, however the first day of classes was not updated. Effect: The cost of attendance and academic start date was reported incorrectly in COD for these students. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed. Recommendation: We recommend that the University ensure that the correct cost of attendance and academic start dates are reported to COD for each student. Views of Responsible Officials: Management agrees with the finding. The incorrect cost of attendance that was reported to COD was the result of a system defect which was reported to OSFP in September of 2023 when a staff member noticed a data mismatch between the University cost of attendance data and COD. OSFP corrected the defect, and the data has been correctly reported since November 23, 2023. The incorrect start date was the result of rolling over the 2021-2022 prior year dates during system start-up. In finalizing the dates for production, the start date year was properly updated but the start day was not updated correctly.

2023 004 Special Tests (Enrollment Reporting) Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Significant Deficiency and Noncompliance Criteria: Under the Pell grant and the Direct and Federal Family Education Loan programs, institutions are required to report enrollment information via the National Student Loan Data System (NSLDS) (OMB No. 1845 0035). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update and certify student enrollment statuses, program information and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information; “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk: • OPEID number, enrollment effective date, enrollment status and certification date Institutions are responsible for accurately reporting all Program-Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk: • OPEID number, CIP code, CIP year, credential level, published program length measurement, published program length, program begin date, program enrollment status and program enrollment effective date Institutions are responsible for timely reporting, whether they report directly or via a third-party servicer. Institutions must complete and return within 15 days the Enrollment Reporting roster file placed in their Student Aid Internet Gateway (SAIG) (OMB No. 1845-0002) mailboxes sent by ED via NSLDS. An institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in the data elements for the Campus Record and the Program Record identified above, and submit the changes electronically through the batch method, spreadsheet submittal, or the NSLDS website (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309: Perkins 34 CFR 674.19(f)). Additionally, in accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: The University utilizes the National Student Clearinghouse (the Clearinghouse) as a service provider for transmissions of its enrollment reporting changes to the National Student Loan Data System (NSLDS). The University receives the Enrollment Reporting Roster and updates it for changes in student status. The file is sent to the Clearinghouse who transmits the updated information to NSLDS. There were 40 students selected for testwork. For two of the forty students selected for testwork, the University did not report the student’s status change to NSLDS within 60 days as graduated to NSLDS on the Campus-Level Record. Students were reported 22 – 204 days late. For one of these two students, the degrees for their school were not part of the May submission and were instead posted late in July. After further analysis provided by the University, there were a total of 160 students who were impacted by this issue. Cause: As mentioned above, for one student, the degrees for their school were not part of the May submission and were instead posted late in July. One student graduated and immediately enrolled in a graduate program and therefore the graduation date was not reported timely. Effect: Student status changes not reported in a timely manner will cause the student to not enter into repayment status on a timely basis. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed. Recommendation: We recommend the University review its current policies and procedures to ensure that all status changes are reported to NSLDS timely. Views of Responsible Officials: Management agrees with the finding. For the school where the degrees were not reported timely, there was a total of 160 students whose degree certification information was not reported by the school to the University Registrar in time to be included in the correct batch process. The file reporting May graduates was processed on July 3, 2023 and these students were not included. They were added to the next cycle which was beyond the 60-day requirement. The University Registrar will send a memorandum to all degree certifying officers at the University reminding them that degree certification must be completed by the appropriate date to be certain all students are included on the file that updates NSLDS with the graduation date. The Chancellor Unit registrars will be asked to send out reminders in the weeks leading up to the required submission date and to track the completion of degree certifications. There are instances where students begin enrollment in a new academic program before the degree certification process is completed. Those students are reported as enrolled to prevent them from being incorrectly placed into repayment. That causes the graduation date to be incorrectly reported on the program level record in a timely basis. A process will be developed to allow for the proper reporting of graduation information on the Program-Level Record to NSLDS even when the student remains currently enrolled at the University and is being reported as such on the Campus-Level Record.

2023 004 Special Tests (Enrollment Reporting) Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Significant Deficiency and Noncompliance Criteria: Under the Pell grant and the Direct and Federal Family Education Loan programs, institutions are required to report enrollment information via the National Student Loan Data System (NSLDS) (OMB No. 1845 0035). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update and certify student enrollment statuses, program information and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information; “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk: • OPEID number, enrollment effective date, enrollment status and certification date Institutions are responsible for accurately reporting all Program-Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk: • OPEID number, CIP code, CIP year, credential level, published program length measurement, published program length, program begin date, program enrollment status and program enrollment effective date Institutions are responsible for timely reporting, whether they report directly or via a third-party servicer. Institutions must complete and return within 15 days the Enrollment Reporting roster file placed in their Student Aid Internet Gateway (SAIG) (OMB No. 1845-0002) mailboxes sent by ED via NSLDS. An institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in the data elements for the Campus Record and the Program Record identified above, and submit the changes electronically through the batch method, spreadsheet submittal, or the NSLDS website (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309: Perkins 34 CFR 674.19(f)). Additionally, in accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: The University utilizes the National Student Clearinghouse (the Clearinghouse) as a service provider for transmissions of its enrollment reporting changes to the National Student Loan Data System (NSLDS). The University receives the Enrollment Reporting Roster and updates it for changes in student status. The file is sent to the Clearinghouse who transmits the updated information to NSLDS. There were 40 students selected for testwork. For two of the forty students selected for testwork, the University did not report the student’s status change to NSLDS within 60 days as graduated to NSLDS on the Campus-Level Record. Students were reported 22 – 204 days late. For one of these two students, the degrees for their school were not part of the May submission and were instead posted late in July. After further analysis provided by the University, there were a total of 160 students who were impacted by this issue. Cause: As mentioned above, for one student, the degrees for their school were not part of the May submission and were instead posted late in July. One student graduated and immediately enrolled in a graduate program and therefore the graduation date was not reported timely. Effect: Student status changes not reported in a timely manner will cause the student to not enter into repayment status on a timely basis. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed. Recommendation: We recommend the University review its current policies and procedures to ensure that all status changes are reported to NSLDS timely. Views of Responsible Officials: Management agrees with the finding. For the school where the degrees were not reported timely, there was a total of 160 students whose degree certification information was not reported by the school to the University Registrar in time to be included in the correct batch process. The file reporting May graduates was processed on July 3, 2023 and these students were not included. They were added to the next cycle which was beyond the 60-day requirement. The University Registrar will send a memorandum to all degree certifying officers at the University reminding them that degree certification must be completed by the appropriate date to be certain all students are included on the file that updates NSLDS with the graduation date. The Chancellor Unit registrars will be asked to send out reminders in the weeks leading up to the required submission date and to track the completion of degree certifications. There are instances where students begin enrollment in a new academic program before the degree certification process is completed. Those students are reported as enrolled to prevent them from being incorrectly placed into repayment. That causes the graduation date to be incorrectly reported on the program level record in a timely basis. A process will be developed to allow for the proper reporting of graduation information on the Program-Level Record to NSLDS even when the student remains currently enrolled at the University and is being reported as such on the Campus-Level Record.

2023 005 Procurement and Suspension and Debarment U.S. Department of Treasury: Pass Through - Office of the Secretary of Higher Education (OSHE) COVID-19 - State and Local Fiscal Recovery Funds (CSLFRF) (ALN 21.027) Grant Number: 2021-100-074-2400-085 Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Material Weakness and Noncompliance Criteria: Non-federal entities are prohibited from contracting with or making subawards under covered transactions to parties that are suspended or debarred. “Covered transactions” include contracts for goods and services awarded under a non-procurement transaction (e.g., grant or cooperative agreement) that are expected to equal or exceed $25,000 or meet certain other criteria as specified in 2 CFR section 180.220. When a non-federal entity enters into a covered transaction with an entity at a lower tier, the non-federal entity must verify that the entity, as defined in 2 CFR section 180.995 and agency adopting regulations, is not suspended or debarred or otherwise excluded from participating in the transaction. This verification may be accomplished by (1) checking the System for Award Management (SAM) Exclusions maintained by the General Services Administration (GSA) and available at SAM.gov | Home (click on Search Record, then click on Advanced Search Exclusions) (Note: The OMB guidance at 2 CFR Part 180 and agency implementing regulations still refer to the SAM Exclusions as the Excluded Parties List System (EPLS)), (2) collecting a certification from the entity, or (3) adding a clause or condition to the covered transaction with that entity (2 CFR section 180.300). Additionally, in accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: The University received federal grant funds passed through the State of New Jersey as an Appropriation in fiscal year 2023 and a portion of these funds were provided to a third party. Because of the dollar value of the funds provided, the University entered into a covered transaction with this third party. The University did not verify that the entity was not suspended or debarred prior to entering into the covered transaction. Cause: The transaction did not follow the University’s standard grants management process or normal procurement process because of the source of the funding. Both of these processes include a suspension and debarment check prior to payment, and therefore a check was not performed. Effect: Funds could have been provided to an entity who was suspended or debarred. Questioned Costs: We confirmed that the entity was not suspended or debarred. No questioned costs were noted as a result of the audit procedures performed. Recommendation: We recommend the University review its current policies and procedures to ensure that a suspension and debarment check is performed for all covered transactions prior to entering into the covered transaction. Views of Responsible Officials: Management agrees with the finding as the University did not perform a suspension and debarment check on the Developer, NJ Innovation Associates Urban Renewal LLC prior to entering into a covered transaction. It should be noted that the University has the appropriate procedures in place to ensure that suspension and debarment checks are performed for all covered transactions, prior to entering into the covered transaction, in the University’s normal course of business. However, the transaction in question was a non-typical event relating to a capital project and Master Lease Agreement, which is partially funded by Federal funds. Due to timing of approvals, including the Master Lease Agreements, and closing date of the property acquisition, the University had to initiate its “Emergency Domestic Wire Request” process for the land and closing transaction dated May 22, 2023, in the amount of $23,606,527.03. If it was not necessary to initiate this process, then the University’s typical procedures to check suspension and debarment would have occurred. The University will review it procedures for “Emergency Domestic Wire Requests” to ensure that when covered transactions involving Federal funds fall into this process, a suspension and debarment check is performed on covered transactions prior to entering into the covered transaction.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

Student Financial Assistance Cluster: U.S. Department of Education Federal Supplemental Educational Opportunity Grants (ALN 84.007) Federal Work-Study Program (ALN 84.033) Federal Perkins Loans (ALN 84.038) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) U.S. Department of Health and Human Services (DHHS), DHHS Health Resources and Services Administration Nurse Faculty Loan Program (ALN 93.264) Scholarships for Health Professions Students from Disadvantaged Backgrounds (ALN 93.925) Federal Grant Numbers: E-P007A132602 (7/1/2022 – 6/30/2023), E-P033A132602 (7/1/2022 – 6/30/2023), E-P038A132602 (7/1/2022 – 6/30/2023), E-P063P130272 (7/1/2022 – 6/30/2023), P268K130272 (7/1/2022 – 6/30/2023), E-01HP28821-02-02, E36HP26092, E36HP25751, E26HP25748, E11HP27284 (7/1/2022 – 6/30/2023), 1T08HP393200100 (7/1/2022 – 6/30/2023), 5 T08HP39320-03-00 (7/1/2022 – 6/30/2023) Statistically valid sample: No and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Material weakness Criteria: In accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. During fiscal year 2023, the University implemented a new system called Oracle Student Financial Planning (OSFP) which is used to package the students’ financial aid. The system performs the following functions: • Determines eligibility of students using various inputs, including information obtained from the Federal Student Aid Record and student enrollment and demographic information. This information is also used to calculate the cost of attendance, calculated need and the federal award amounts. • Disburses student financial assistance to students. • Reports disbursement information to the Common Origination and Disbursement system. The internal controls over these functions are considered automated controls for the applicable compliance requirements. Condition and Context: In order to gain comfort over the automated application controls, we tested the applicable information technology general controls particularly in the areas of logical access and program changes. During our testwork, it was noted that the University’s standard policies and procedures to monitor appropriate user access and program changes were not followed. Related to user access, it was noted that there are thirty-five users assigned to the role System Administrator. With this level of access users have the capability to change configuration, develop scripts and deploy changes. Additionally, we noted that some of the users develop and deploy code indicating there is no segregation of duties between the developer and the implementer. Related to program changes, it was noted that while changes to OSFP are documented in a project tracking software or a spreadsheet, they are not consistently documented as to which code is deployed to OSFP production, whether the developed code is tested and approved, and who deployed the code. Additionally, any changes that were tracked, were only maintained for 6 months. Cause: The system was new in fiscal year 2023 and the University’s standard policies and procedures were not followed for the system during the fiscal year. Effect: As the general information technology controls over the OSFP system were determined to be ineffective, the related downstream key application controls could not be relied upon or tested. Such key application controls include: calculation of a student’s need, calculation and application of cost of attendance, determination of a student’s eligibility to receive federal and state awards and calculation of awards based on a student’s need and cost of attendance. Additionally, there were no manual controls over these key compliance areas to mitigate the inability to rely upon the application controls. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed as the finding was related only to internal controls and not to non-compliance. Recommendation: We recommend that the University implement all standard policies and procedures for general IT controls for this system, including those related to logical access, program changes and the retention of documentation of program changes to ensure an effective general information technology control environment. Views of Responsible Official: Management agrees with the finding. Management has documented and implemented system release management practices for the OSFP system. All change requests, updates and approvals for the OSFP system will be tracked in a project tracking software. A dedicated OSFP administrator was onboarded, to segregate duties within the technical team, with the capability of deploying changes to production. A new access role was also implemented which will limit some of the permissions, and the majority of the thirty-five users were moved to this more limited role. Finally, a recertification process will be developed and a recertification will be completed annually for the OSFP system.

2023 002 Eligibility Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Material Weakness and Noncompliance Criteria: Calculation of Benefits Awards must be coordinated among the various programs and with other federal and nonfederal aid (need and non-need based aid) to ensure that total aid is not awarded in excess of the student’s financial need or cost of attendance (34 CFR 668.42, FWS, and FSEOG, 34 CFR 673.5 and 673.6; Direct Loan, 34 CFR 685.301). The determination of need-based SFA award amounts is based on financial need. Financial need is defined as the student’s cost of attendance (COA) minus the student’s expected family contribution (EFC) (as computed by the central processor and included on the student’s Student Aid Report (SAR)). Once a student is awarded any financial aid, to find remaining financial need one would use the following formula --COA minus EFC minus Estimated Financial Assistance (EFA) (§ 668.2) = remaining need. To avoid overpayments, need-based SFA awards cannot exceed the student’s overall financial need. Non need-based SFA awards are not limited to financial need but cannot exceed the student’s COA. To determine non need-based SFA awards (unsubsidized aid) one would use the following formula – COA minus EFA. For Title IV programs, the COA is generally the sum of the following: tuition and fees; an allowance for books, supplies, transportation, and miscellaneous personal expenses; an allowance for room and board; when applicable, allowances for costs for dependent care; costs associated with study abroad and cooperative education; costs related to disabilities; and fees charged for student loans. There are exceptions for students attending less than halftime, correspondence students, and incarcerated students. The financial aid administrator also has authority to use professional judgment to adjust the COA or alter the data elements used to calculate the EFC on a case-by-case basis to allow for special circumstances. Further, the University must establish and maintain effective internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: We selected forty-three students for testwork who received financial aid disbursements during the year and noted the following: • Two students in our sample were awarded non-need based aid that resulted in the students being awarded in excess of their cost of attendance. After further analysis provided by the University, it was determined that a total of ninety-six students were over-awarded by $437,213. The amount is broken down as follows: fifty-six students were over-awarded and over-disbursed Federal aid totaling $263,522 which is considered a questioned cost, thirty-eight students were over-awarded and over-disbursed institutional aid totaling $165,327 and two students were over-awarded and over-disbursed private loans totaling $8,364. • The cost of attendance for one student in our sample was incorrectly calculated. The University has various cost of attendance calculations for different schools and/or programs of study. For this student’s program of study, certain cost components were doubled resulting in an inflated cost of attendance. The student selected for testwork was not awarded in excess of their correct cost of attendance. After further analysis provided by the University, it was determined that this issue impacted a total of eighty-four students (third year students had an additional 13,930 added to their cost of attendance and fourth year students had a total of $10,845 added to their cost of attendance). Of the eighty-four students, forty-two were over-awarded and over-disbursed Federal aid totaling $449,672 which is considered a questioned cost. The remaining forty-two students were not awarded in excess of their correct cost of attendance. In addition, as noted in finding 2023-001, the general information technology controls over the new Oracle Student Financial Planning (OSFP) system were determined to be ineffective and as such the related downstream key application controls could not be relied upon. Therefore, controls related to this compliance requirement could not be tested. Cause: For the two students awarded in excess of cost of attendance, the additional non-need based aid was awarded to the student and manually applied to the student’s account, which resulted in the cost of attendance to be overridden and the student to be awarded in excess of the student’s cost of attendance. For the one student who had an incorrect cost of attendance calculation, certain cost components were doubled for this program of study when entered in the system for student packaging. Effect: For the first issue noted above, fifty-six students were awarded and disbursed Federal aid in excess of their cost of attendance by $437,213. For the second issue noted above, forty-two students were awarded and disbursed Federal aid in excess of their cost of attendance by $449,672. Questioned Costs: As noted above, questioned costs for the Federal Direct Student Loans totaled $713,194. Recommendation: We recommend that the University implement controls to prevent awards to students in excess of their cost of attendance and to ensure that cost of attendance components are correcly entered into the system prior to packaging. The University should ensure that internal controls implemented are functioning as designed including related information technology controls. Views of Responsible Officials: Management agrees with the finding. The over-awards in the first issue were caused by manual intervention in student packaging when additional financial aid funds were added by staff members. In OSFP, manual awarding overrides the system edits in place to prevent over-awarding from occurring. The aid awarded should have been adjusted downward as to not exceed the total cost of attendance. The second issue was a systemic error for eighty-four students enrolled in the International Dental Program. The script used to build the cost of attendance in OSFP doubled one of the cost components in the 2022-2023 academic year.

2023 002 Eligibility Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Material Weakness and Noncompliance Criteria: Calculation of Benefits Awards must be coordinated among the various programs and with other federal and nonfederal aid (need and non-need based aid) to ensure that total aid is not awarded in excess of the student’s financial need or cost of attendance (34 CFR 668.42, FWS, and FSEOG, 34 CFR 673.5 and 673.6; Direct Loan, 34 CFR 685.301). The determination of need-based SFA award amounts is based on financial need. Financial need is defined as the student’s cost of attendance (COA) minus the student’s expected family contribution (EFC) (as computed by the central processor and included on the student’s Student Aid Report (SAR)). Once a student is awarded any financial aid, to find remaining financial need one would use the following formula --COA minus EFC minus Estimated Financial Assistance (EFA) (§ 668.2) = remaining need. To avoid overpayments, need-based SFA awards cannot exceed the student’s overall financial need. Non need-based SFA awards are not limited to financial need but cannot exceed the student’s COA. To determine non need-based SFA awards (unsubsidized aid) one would use the following formula – COA minus EFA. For Title IV programs, the COA is generally the sum of the following: tuition and fees; an allowance for books, supplies, transportation, and miscellaneous personal expenses; an allowance for room and board; when applicable, allowances for costs for dependent care; costs associated with study abroad and cooperative education; costs related to disabilities; and fees charged for student loans. There are exceptions for students attending less than halftime, correspondence students, and incarcerated students. The financial aid administrator also has authority to use professional judgment to adjust the COA or alter the data elements used to calculate the EFC on a case-by-case basis to allow for special circumstances. Further, the University must establish and maintain effective internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: We selected forty-three students for testwork who received financial aid disbursements during the year and noted the following: • Two students in our sample were awarded non-need based aid that resulted in the students being awarded in excess of their cost of attendance. After further analysis provided by the University, it was determined that a total of ninety-six students were over-awarded by $437,213. The amount is broken down as follows: fifty-six students were over-awarded and over-disbursed Federal aid totaling $263,522 which is considered a questioned cost, thirty-eight students were over-awarded and over-disbursed institutional aid totaling $165,327 and two students were over-awarded and over-disbursed private loans totaling $8,364. • The cost of attendance for one student in our sample was incorrectly calculated. The University has various cost of attendance calculations for different schools and/or programs of study. For this student’s program of study, certain cost components were doubled resulting in an inflated cost of attendance. The student selected for testwork was not awarded in excess of their correct cost of attendance. After further analysis provided by the University, it was determined that this issue impacted a total of eighty-four students (third year students had an additional 13,930 added to their cost of attendance and fourth year students had a total of $10,845 added to their cost of attendance). Of the eighty-four students, forty-two were over-awarded and over-disbursed Federal aid totaling $449,672 which is considered a questioned cost. The remaining forty-two students were not awarded in excess of their correct cost of attendance. In addition, as noted in finding 2023-001, the general information technology controls over the new Oracle Student Financial Planning (OSFP) system were determined to be ineffective and as such the related downstream key application controls could not be relied upon. Therefore, controls related to this compliance requirement could not be tested. Cause: For the two students awarded in excess of cost of attendance, the additional non-need based aid was awarded to the student and manually applied to the student’s account, which resulted in the cost of attendance to be overridden and the student to be awarded in excess of the student’s cost of attendance. For the one student who had an incorrect cost of attendance calculation, certain cost components were doubled for this program of study when entered in the system for student packaging. Effect: For the first issue noted above, fifty-six students were awarded and disbursed Federal aid in excess of their cost of attendance by $437,213. For the second issue noted above, forty-two students were awarded and disbursed Federal aid in excess of their cost of attendance by $449,672. Questioned Costs: As noted above, questioned costs for the Federal Direct Student Loans totaled $713,194. Recommendation: We recommend that the University implement controls to prevent awards to students in excess of their cost of attendance and to ensure that cost of attendance components are correcly entered into the system prior to packaging. The University should ensure that internal controls implemented are functioning as designed including related information technology controls. Views of Responsible Officials: Management agrees with the finding. The over-awards in the first issue were caused by manual intervention in student packaging when additional financial aid funds were added by staff members. In OSFP, manual awarding overrides the system edits in place to prevent over-awarding from occurring. The aid awarded should have been adjusted downward as to not exceed the total cost of attendance. The second issue was a systemic error for eighty-four students enrolled in the International Dental Program. The script used to build the cost of attendance in OSFP doubled one of the cost components in the 2022-2023 academic year.

2023 003 Reporting (Financial) Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Material Weakness and Noncompliance Criteria: SFA – Title IV Programs Institutions submit Direct Loan, Pell Grant, TEACH Grant, and IASG origination records and disbursement records to the Common Origination and Disbursement (COD) system. Origination records can be sent well in advance of any disbursements, as early as the institution chooses to submit them for any student the institution reasonably believes will be eligible for a payment. An institution follows up with a disbursement record for that student no earlier than (1) seven calendar days prior to the disbursement date under the Advance or Heightened Cash Monitoring 1 payment methods, or (2) the date of the disbursement under the Reimbursement or Heightened Cash Monitoring 2 Payment Method (see Federal Register, Volume 86, Number 119, June 24, 2021). The disbursement record reports the actual disbursement date and the amount of the disbursement. ED processes origination and/or disbursement records and returns acknowledgments to the institution. The acknowledgments identify the processing status of each record: Rejected, Accepted with Corrections, or Accepted. In testing the origination and disbursement data, the auditor should be most concerned with the data ED has categorized as accepted or accepted with corrections. Institutions must report student disbursement data within 15 calendar days after the institution makes a disbursement or becomes aware of the need to make an adjustment to previously reported student disbursement data or expected student disbursement data. Institutions may do this by reporting once every 15 calendar days, bi-weekly or weekly, or may set up their own system to ensure that changes are reported in a timely manner. Key items to test on origination records, if applicable, are: Social Security number, award amount, enrollment date, verification status code (when the applicant is selected for verification), transaction number, cost of attendance, and the “Academic Start Date” and “Academic End Date”. Key items to test on disbursement records are disbursement date and amount. Further, the University must establish and maintain effective internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: During our testing of the key items on the origination records, we noted the following: • For twenty of the twenty Pell disbursements selected for testwork, the cost of attendance did not agree between University records and the COD system. • For twenty-seven out of the forty-one Direct Loan disbursements selected for testwork, the cost of attendance did not agree between University records and the COD system. • For fourteen of the twenty Pell disbursements selected for testwork, the enrollment date did not agree between University records and the COD system. • For thirty of the forty-one Direct Loan disbursements selected for testwork, the academic start date did not agree between University records and the COD system. In addition, as noted in finding 2023-001, the general information technology controls over the new Oracle Student Financial Planning (OSFP) system were determined to be ineffective and as such the related downstream key application controls could not be relied upon. Therefore, controls related to this compliance requirement could not be tested. Cause: Related to cost of attendance, the incorrect cost of attendance was sent to the COD system due to a system error that existed in the system prior to fiscal year 2024 causing the incorrect cost of attendance to be transmitted to COD. Related to academic start date for the Direct Loan transactions and enrollment date for the Pell transactions, the prior year academic start date was rolled forward for fiscal year 2023, however the first day of classes was not updated. Effect: The cost of attendance and academic start date was reported incorrectly in COD for these students. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed. Recommendation: We recommend that the University ensure that the correct cost of attendance and academic start dates are reported to COD for each student. Views of Responsible Officials: Management agrees with the finding. The incorrect cost of attendance that was reported to COD was the result of a system defect which was reported to OSFP in September of 2023 when a staff member noticed a data mismatch between the University cost of attendance data and COD. OSFP corrected the defect, and the data has been correctly reported since November 23, 2023. The incorrect start date was the result of rolling over the 2021-2022 prior year dates during system start-up. In finalizing the dates for production, the start date year was properly updated but the start day was not updated correctly.

2023 003 Reporting (Financial) Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Material Weakness and Noncompliance Criteria: SFA – Title IV Programs Institutions submit Direct Loan, Pell Grant, TEACH Grant, and IASG origination records and disbursement records to the Common Origination and Disbursement (COD) system. Origination records can be sent well in advance of any disbursements, as early as the institution chooses to submit them for any student the institution reasonably believes will be eligible for a payment. An institution follows up with a disbursement record for that student no earlier than (1) seven calendar days prior to the disbursement date under the Advance or Heightened Cash Monitoring 1 payment methods, or (2) the date of the disbursement under the Reimbursement or Heightened Cash Monitoring 2 Payment Method (see Federal Register, Volume 86, Number 119, June 24, 2021). The disbursement record reports the actual disbursement date and the amount of the disbursement. ED processes origination and/or disbursement records and returns acknowledgments to the institution. The acknowledgments identify the processing status of each record: Rejected, Accepted with Corrections, or Accepted. In testing the origination and disbursement data, the auditor should be most concerned with the data ED has categorized as accepted or accepted with corrections. Institutions must report student disbursement data within 15 calendar days after the institution makes a disbursement or becomes aware of the need to make an adjustment to previously reported student disbursement data or expected student disbursement data. Institutions may do this by reporting once every 15 calendar days, bi-weekly or weekly, or may set up their own system to ensure that changes are reported in a timely manner. Key items to test on origination records, if applicable, are: Social Security number, award amount, enrollment date, verification status code (when the applicant is selected for verification), transaction number, cost of attendance, and the “Academic Start Date” and “Academic End Date”. Key items to test on disbursement records are disbursement date and amount. Further, the University must establish and maintain effective internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: During our testing of the key items on the origination records, we noted the following: • For twenty of the twenty Pell disbursements selected for testwork, the cost of attendance did not agree between University records and the COD system. • For twenty-seven out of the forty-one Direct Loan disbursements selected for testwork, the cost of attendance did not agree between University records and the COD system. • For fourteen of the twenty Pell disbursements selected for testwork, the enrollment date did not agree between University records and the COD system. • For thirty of the forty-one Direct Loan disbursements selected for testwork, the academic start date did not agree between University records and the COD system. In addition, as noted in finding 2023-001, the general information technology controls over the new Oracle Student Financial Planning (OSFP) system were determined to be ineffective and as such the related downstream key application controls could not be relied upon. Therefore, controls related to this compliance requirement could not be tested. Cause: Related to cost of attendance, the incorrect cost of attendance was sent to the COD system due to a system error that existed in the system prior to fiscal year 2024 causing the incorrect cost of attendance to be transmitted to COD. Related to academic start date for the Direct Loan transactions and enrollment date for the Pell transactions, the prior year academic start date was rolled forward for fiscal year 2023, however the first day of classes was not updated. Effect: The cost of attendance and academic start date was reported incorrectly in COD for these students. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed. Recommendation: We recommend that the University ensure that the correct cost of attendance and academic start dates are reported to COD for each student. Views of Responsible Officials: Management agrees with the finding. The incorrect cost of attendance that was reported to COD was the result of a system defect which was reported to OSFP in September of 2023 when a staff member noticed a data mismatch between the University cost of attendance data and COD. OSFP corrected the defect, and the data has been correctly reported since November 23, 2023. The incorrect start date was the result of rolling over the 2021-2022 prior year dates during system start-up. In finalizing the dates for production, the start date year was properly updated but the start day was not updated correctly.

2023 004 Special Tests (Enrollment Reporting) Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Significant Deficiency and Noncompliance Criteria: Under the Pell grant and the Direct and Federal Family Education Loan programs, institutions are required to report enrollment information via the National Student Loan Data System (NSLDS) (OMB No. 1845 0035). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update and certify student enrollment statuses, program information and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information; “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk: • OPEID number, enrollment effective date, enrollment status and certification date Institutions are responsible for accurately reporting all Program-Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk: • OPEID number, CIP code, CIP year, credential level, published program length measurement, published program length, program begin date, program enrollment status and program enrollment effective date Institutions are responsible for timely reporting, whether they report directly or via a third-party servicer. Institutions must complete and return within 15 days the Enrollment Reporting roster file placed in their Student Aid Internet Gateway (SAIG) (OMB No. 1845-0002) mailboxes sent by ED via NSLDS. An institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in the data elements for the Campus Record and the Program Record identified above, and submit the changes electronically through the batch method, spreadsheet submittal, or the NSLDS website (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309: Perkins 34 CFR 674.19(f)). Additionally, in accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: The University utilizes the National Student Clearinghouse (the Clearinghouse) as a service provider for transmissions of its enrollment reporting changes to the National Student Loan Data System (NSLDS). The University receives the Enrollment Reporting Roster and updates it for changes in student status. The file is sent to the Clearinghouse who transmits the updated information to NSLDS. There were 40 students selected for testwork. For two of the forty students selected for testwork, the University did not report the student’s status change to NSLDS within 60 days as graduated to NSLDS on the Campus-Level Record. Students were reported 22 – 204 days late. For one of these two students, the degrees for their school were not part of the May submission and were instead posted late in July. After further analysis provided by the University, there were a total of 160 students who were impacted by this issue. Cause: As mentioned above, for one student, the degrees for their school were not part of the May submission and were instead posted late in July. One student graduated and immediately enrolled in a graduate program and therefore the graduation date was not reported timely. Effect: Student status changes not reported in a timely manner will cause the student to not enter into repayment status on a timely basis. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed. Recommendation: We recommend the University review its current policies and procedures to ensure that all status changes are reported to NSLDS timely. Views of Responsible Officials: Management agrees with the finding. For the school where the degrees were not reported timely, there was a total of 160 students whose degree certification information was not reported by the school to the University Registrar in time to be included in the correct batch process. The file reporting May graduates was processed on July 3, 2023 and these students were not included. They were added to the next cycle which was beyond the 60-day requirement. The University Registrar will send a memorandum to all degree certifying officers at the University reminding them that degree certification must be completed by the appropriate date to be certain all students are included on the file that updates NSLDS with the graduation date. The Chancellor Unit registrars will be asked to send out reminders in the weeks leading up to the required submission date and to track the completion of degree certifications. There are instances where students begin enrollment in a new academic program before the degree certification process is completed. Those students are reported as enrolled to prevent them from being incorrectly placed into repayment. That causes the graduation date to be incorrectly reported on the program level record in a timely basis. A process will be developed to allow for the proper reporting of graduation information on the Program-Level Record to NSLDS even when the student remains currently enrolled at the University and is being reported as such on the Campus-Level Record.

2023 004 Special Tests (Enrollment Reporting) Student Financial Assistance Cluster: U.S. Department of Education Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Federal Grant Numbers: E-P063P130272 (7/1/2022 - 6/30/2023), P268K130272 (7/1/2022 - 6/30/2023) Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Significant Deficiency and Noncompliance Criteria: Under the Pell grant and the Direct and Federal Family Education Loan programs, institutions are required to report enrollment information via the National Student Loan Data System (NSLDS) (OMB No. 1845 0035). The administration of the Title IV programs depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Institutions must review, update and certify student enrollment statuses, program information and effective dates that appear on the Enrollment Reporting Roster file or on the Enrollment Maintenance page of the NSLDS Professional Access (NSLDSFAP) website. The data on the institution’s Enrollment Reporting Roster, or Enrollment Maintenance page, is what NSLDS has as the most recently certified enrollment information. There are two categories of enrollment information; “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk: • OPEID number, enrollment effective date, enrollment status and certification date Institutions are responsible for accurately reporting all Program-Level Record data elements. The Department of Education (ED) considers the following data elements to be high risk: • OPEID number, CIP code, CIP year, credential level, published program length measurement, published program length, program begin date, program enrollment status and program enrollment effective date Institutions are responsible for timely reporting, whether they report directly or via a third-party servicer. Institutions must complete and return within 15 days the Enrollment Reporting roster file placed in their Student Aid Internet Gateway (SAIG) (OMB No. 1845-0002) mailboxes sent by ED via NSLDS. An institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days. Once received, the institution must update for changes in the data elements for the Campus Record and the Program Record identified above, and submit the changes electronically through the batch method, spreadsheet submittal, or the NSLDS website (Pell, 34 CFR 690.83(b)(2); FFEL, 34 CFR 682.610; Direct Loan, 34 CFR 685.309: Perkins 34 CFR 674.19(f)). Additionally, in accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: The University utilizes the National Student Clearinghouse (the Clearinghouse) as a service provider for transmissions of its enrollment reporting changes to the National Student Loan Data System (NSLDS). The University receives the Enrollment Reporting Roster and updates it for changes in student status. The file is sent to the Clearinghouse who transmits the updated information to NSLDS. There were 40 students selected for testwork. For two of the forty students selected for testwork, the University did not report the student’s status change to NSLDS within 60 days as graduated to NSLDS on the Campus-Level Record. Students were reported 22 – 204 days late. For one of these two students, the degrees for their school were not part of the May submission and were instead posted late in July. After further analysis provided by the University, there were a total of 160 students who were impacted by this issue. Cause: As mentioned above, for one student, the degrees for their school were not part of the May submission and were instead posted late in July. One student graduated and immediately enrolled in a graduate program and therefore the graduation date was not reported timely. Effect: Student status changes not reported in a timely manner will cause the student to not enter into repayment status on a timely basis. Questioned Costs: No questioned costs were noted as a result of the audit procedures performed. Recommendation: We recommend the University review its current policies and procedures to ensure that all status changes are reported to NSLDS timely. Views of Responsible Officials: Management agrees with the finding. For the school where the degrees were not reported timely, there was a total of 160 students whose degree certification information was not reported by the school to the University Registrar in time to be included in the correct batch process. The file reporting May graduates was processed on July 3, 2023 and these students were not included. They were added to the next cycle which was beyond the 60-day requirement. The University Registrar will send a memorandum to all degree certifying officers at the University reminding them that degree certification must be completed by the appropriate date to be certain all students are included on the file that updates NSLDS with the graduation date. The Chancellor Unit registrars will be asked to send out reminders in the weeks leading up to the required submission date and to track the completion of degree certifications. There are instances where students begin enrollment in a new academic program before the degree certification process is completed. Those students are reported as enrolled to prevent them from being incorrectly placed into repayment. That causes the graduation date to be incorrectly reported on the program level record in a timely basis. A process will be developed to allow for the proper reporting of graduation information on the Program-Level Record to NSLDS even when the student remains currently enrolled at the University and is being reported as such on the Campus-Level Record.

2023 005 Procurement and Suspension and Debarment U.S. Department of Treasury: Pass Through - Office of the Secretary of Higher Education (OSHE) COVID-19 - State and Local Fiscal Recovery Funds (CSLFRF) (ALN 21.027) Grant Number: 2021-100-074-2400-085 Statistically Valid Sample: No, and it was not intended to be Prior Year Finding: Not a repeat finding. Finding Type: Material Weakness and Noncompliance Criteria: Non-federal entities are prohibited from contracting with or making subawards under covered transactions to parties that are suspended or debarred. “Covered transactions” include contracts for goods and services awarded under a non-procurement transaction (e.g., grant or cooperative agreement) that are expected to equal or exceed $25,000 or meet certain other criteria as specified in 2 CFR section 180.220. When a non-federal entity enters into a covered transaction with an entity at a lower tier, the non-federal entity must verify that the entity, as defined in 2 CFR section 180.995 and agency adopting regulations, is not suspended or debarred or otherwise excluded from participating in the transaction. This verification may be accomplished by (1) checking the System for Award Management (SAM) Exclusions maintained by the General Services Administration (GSA) and available at SAM.gov | Home (click on Search Record, then click on Advanced Search Exclusions) (Note: The OMB guidance at 2 CFR Part 180 and agency implementing regulations still refer to the SAM Exclusions as the Excluded Parties List System (EPLS)), (2) collecting a certification from the entity, or (3) adding a clause or condition to the covered transaction with that entity (2 CFR section 180.300). Additionally, in accordance with Federal requirements, the University shall maintain internal controls over Federal programs designed to provide reasonable assurance that transactions are executed in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program. Condition and Context: The University received federal grant funds passed through the State of New Jersey as an Appropriation in fiscal year 2023 and a portion of these funds were provided to a third party. Because of the dollar value of the funds provided, the University entered into a covered transaction with this third party. The University did not verify that the entity was not suspended or debarred prior to entering into the covered transaction. Cause: The transaction did not follow the University’s standard grants management process or normal procurement process because of the source of the funding. Both of these processes include a suspension and debarment check prior to payment, and therefore a check was not performed. Effect: Funds could have been provided to an entity who was suspended or debarred. Questioned Costs: We confirmed that the entity was not suspended or debarred. No questioned costs were noted as a result of the audit procedures performed. Recommendation: We recommend the University review its current policies and procedures to ensure that a suspension and debarment check is performed for all covered transactions prior to entering into the covered transaction. Views of Responsible Officials: Management agrees with the finding as the University did not perform a suspension and debarment check on the Developer, NJ Innovation Associates Urban Renewal LLC prior to entering into a covered transaction. It should be noted that the University has the appropriate procedures in place to ensure that suspension and debarment checks are performed for all covered transactions, prior to entering into the covered transaction, in the University’s normal course of business. However, the transaction in question was a non-typical event relating to a capital project and Master Lease Agreement, which is partially funded by Federal funds. Due to timing of approvals, including the Master Lease Agreements, and closing date of the property acquisition, the University had to initiate its “Emergency Domestic Wire Request” process for the land and closing transaction dated May 22, 2023, in the amount of $23,606,527.03. If it was not necessary to initiate this process, then the University’s typical procedures to check suspension and debarment would have occurred. The University will review it procedures for “Emergency Domestic Wire Requests” to ensure that when covered transactions involving Federal funds fall into this process, a suspension and debarment check is performed on covered transactions prior to entering into the covered transaction.