Audit 359091

Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-002 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Disbursements to or on Behalf of Students Questioned Costs: $0 Criteria: 34 CFR 668.164 (h) provides that a Title IV credit balance occurs whenever the amount of title IV program funds credited to a student's ledger account for a payment period exceeds the amount assessed the student for allowable charges associated with that payment period. A title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than – • Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or • Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition: For 9 (or 23%) of 40 samples tested, Title IV credit balances were not paid to the students within the prescribed timelines. Cause: The University does not monitor payment of credit balances within the prescribed timelines per federal regulations. Effect or potential effect: The University is not in compliance with 2 CFR 668.164 (h). Recommendation: The University should develop and implement internal controls whereby payment of credit balances to students in accordance with the prescribed timelines are monitored and documented. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-002 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Disbursements to or on Behalf of Students Questioned Costs: $0 Criteria: 34 CFR 668.164 (h) provides that a Title IV credit balance occurs whenever the amount of title IV program funds credited to a student's ledger account for a payment period exceeds the amount assessed the student for allowable charges associated with that payment period. A title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than – • Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or • Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition: For 9 (or 23%) of 40 samples tested, Title IV credit balances were not paid to the students within the prescribed timelines. Cause: The University does not monitor payment of credit balances within the prescribed timelines per federal regulations. Effect or potential effect: The University is not in compliance with 2 CFR 668.164 (h). Recommendation: The University should develop and implement internal controls whereby payment of credit balances to students in accordance with the prescribed timelines are monitored and documented. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-002 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Disbursements to or on Behalf of Students Questioned Costs: $0 Criteria: 34 CFR 668.164 (h) provides that a Title IV credit balance occurs whenever the amount of title IV program funds credited to a student's ledger account for a payment period exceeds the amount assessed the student for allowable charges associated with that payment period. A title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than – • Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or • Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition: For 9 (or 23%) of 40 samples tested, Title IV credit balances were not paid to the students within the prescribed timelines. Cause: The University does not monitor payment of credit balances within the prescribed timelines per federal regulations. Effect or potential effect: The University is not in compliance with 2 CFR 668.164 (h). Recommendation: The University should develop and implement internal controls whereby payment of credit balances to students in accordance with the prescribed timelines are monitored and documented. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-002 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Disbursements to or on Behalf of Students Questioned Costs: $0 Criteria: 34 CFR 668.164 (h) provides that a Title IV credit balance occurs whenever the amount of title IV program funds credited to a student's ledger account for a payment period exceeds the amount assessed the student for allowable charges associated with that payment period. A title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than – • Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or • Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition: For 9 (or 23%) of 40 samples tested, Title IV credit balances were not paid to the students within the prescribed timelines. Cause: The University does not monitor payment of credit balances within the prescribed timelines per federal regulations. Effect or potential effect: The University is not in compliance with 2 CFR 668.164 (h). Recommendation: The University should develop and implement internal controls whereby payment of credit balances to students in accordance with the prescribed timelines are monitored and documented. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-002 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Disbursements to or on Behalf of Students Questioned Costs: $0 Criteria: 34 CFR 668.164 (h) provides that a Title IV credit balance occurs whenever the amount of title IV program funds credited to a student's ledger account for a payment period exceeds the amount assessed the student for allowable charges associated with that payment period. A title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than – • Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or • Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition: For 9 (or 23%) of 40 samples tested, Title IV credit balances were not paid to the students within the prescribed timelines. Cause: The University does not monitor payment of credit balances within the prescribed timelines per federal regulations. Effect or potential effect: The University is not in compliance with 2 CFR 668.164 (h). Recommendation: The University should develop and implement internal controls whereby payment of credit balances to students in accordance with the prescribed timelines are monitored and documented. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-003 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Cash Management Questioned Costs: $0 Criteria: 34 CFR 685.300(b)(5) requires that on a monthly basis, a school must reconcile institutional records with Direct Loan funds received from the U.S. Department of Education (ED) and Direct Loan disbursement records submitted to and accepted by the ED. ED’s Electronic Announcements DL-22-07 and GENERAL-22-86 explain that a school must reconcile the funds it received from G5 with actual disbursement records the school submitted to Common Origination and Disbursement (COD) system. Each month, COD sends the school a School Account Statement, which is ED’s official record of the school’s cash and disbursement records and identifies the difference between the net draws from G5 and the actual disbursement information reported to COD by the school. The school is required to account for any differences by reconciling ED’s records (School Account Statements) with the school’s financial and business records. Condition: For 4 (or 100%) of 4 months selected for testing, the University has not performed monthly Direct Loan reconciliations as prescribed by regulations. Cause: The University does not utilize the School Account Statements as part of its Direct Loan Reconciliation process. Further, there are no review procedures in place to ensure that monthly Direct Loan reconciliations are performed. Effect or Potential Effect: The University is not in compliance with the monthly Direct Loan reconciliation requirements. Recommendation: The University should develop and implement a process to ensure that monthly Direct Loan reconciliation is performed. This process should incorporate the use of School Account Statement as set forth in the regulations. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-003 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Cash Management Questioned Costs: $0 Criteria: 34 CFR 685.300(b)(5) requires that on a monthly basis, a school must reconcile institutional records with Direct Loan funds received from the U.S. Department of Education (ED) and Direct Loan disbursement records submitted to and accepted by the ED. ED’s Electronic Announcements DL-22-07 and GENERAL-22-86 explain that a school must reconcile the funds it received from G5 with actual disbursement records the school submitted to Common Origination and Disbursement (COD) system. Each month, COD sends the school a School Account Statement, which is ED’s official record of the school’s cash and disbursement records and identifies the difference between the net draws from G5 and the actual disbursement information reported to COD by the school. The school is required to account for any differences by reconciling ED’s records (School Account Statements) with the school’s financial and business records. Condition: For 4 (or 100%) of 4 months selected for testing, the University has not performed monthly Direct Loan reconciliations as prescribed by regulations. Cause: The University does not utilize the School Account Statements as part of its Direct Loan Reconciliation process. Further, there are no review procedures in place to ensure that monthly Direct Loan reconciliations are performed. Effect or Potential Effect: The University is not in compliance with the monthly Direct Loan reconciliation requirements. Recommendation: The University should develop and implement a process to ensure that monthly Direct Loan reconciliation is performed. This process should incorporate the use of School Account Statement as set forth in the regulations. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-003 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Cash Management Questioned Costs: $0 Criteria: 34 CFR 685.300(b)(5) requires that on a monthly basis, a school must reconcile institutional records with Direct Loan funds received from the U.S. Department of Education (ED) and Direct Loan disbursement records submitted to and accepted by the ED. ED’s Electronic Announcements DL-22-07 and GENERAL-22-86 explain that a school must reconcile the funds it received from G5 with actual disbursement records the school submitted to Common Origination and Disbursement (COD) system. Each month, COD sends the school a School Account Statement, which is ED’s official record of the school’s cash and disbursement records and identifies the difference between the net draws from G5 and the actual disbursement information reported to COD by the school. The school is required to account for any differences by reconciling ED’s records (School Account Statements) with the school’s financial and business records. Condition: For 4 (or 100%) of 4 months selected for testing, the University has not performed monthly Direct Loan reconciliations as prescribed by regulations. Cause: The University does not utilize the School Account Statements as part of its Direct Loan Reconciliation process. Further, there are no review procedures in place to ensure that monthly Direct Loan reconciliations are performed. Effect or Potential Effect: The University is not in compliance with the monthly Direct Loan reconciliation requirements. Recommendation: The University should develop and implement a process to ensure that monthly Direct Loan reconciliation is performed. This process should incorporate the use of School Account Statement as set forth in the regulations. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-003 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Cash Management Questioned Costs: $0 Criteria: 34 CFR 685.300(b)(5) requires that on a monthly basis, a school must reconcile institutional records with Direct Loan funds received from the U.S. Department of Education (ED) and Direct Loan disbursement records submitted to and accepted by the ED. ED’s Electronic Announcements DL-22-07 and GENERAL-22-86 explain that a school must reconcile the funds it received from G5 with actual disbursement records the school submitted to Common Origination and Disbursement (COD) system. Each month, COD sends the school a School Account Statement, which is ED’s official record of the school’s cash and disbursement records and identifies the difference between the net draws from G5 and the actual disbursement information reported to COD by the school. The school is required to account for any differences by reconciling ED’s records (School Account Statements) with the school’s financial and business records. Condition: For 4 (or 100%) of 4 months selected for testing, the University has not performed monthly Direct Loan reconciliations as prescribed by regulations. Cause: The University does not utilize the School Account Statements as part of its Direct Loan Reconciliation process. Further, there are no review procedures in place to ensure that monthly Direct Loan reconciliations are performed. Effect or Potential Effect: The University is not in compliance with the monthly Direct Loan reconciliation requirements. Recommendation: The University should develop and implement a process to ensure that monthly Direct Loan reconciliation is performed. This process should incorporate the use of School Account Statement as set forth in the regulations. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-003 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Cash Management Questioned Costs: $0 Criteria: 34 CFR 685.300(b)(5) requires that on a monthly basis, a school must reconcile institutional records with Direct Loan funds received from the U.S. Department of Education (ED) and Direct Loan disbursement records submitted to and accepted by the ED. ED’s Electronic Announcements DL-22-07 and GENERAL-22-86 explain that a school must reconcile the funds it received from G5 with actual disbursement records the school submitted to Common Origination and Disbursement (COD) system. Each month, COD sends the school a School Account Statement, which is ED’s official record of the school’s cash and disbursement records and identifies the difference between the net draws from G5 and the actual disbursement information reported to COD by the school. The school is required to account for any differences by reconciling ED’s records (School Account Statements) with the school’s financial and business records. Condition: For 4 (or 100%) of 4 months selected for testing, the University has not performed monthly Direct Loan reconciliations as prescribed by regulations. Cause: The University does not utilize the School Account Statements as part of its Direct Loan Reconciliation process. Further, there are no review procedures in place to ensure that monthly Direct Loan reconciliations are performed. Effect or Potential Effect: The University is not in compliance with the monthly Direct Loan reconciliation requirements. Recommendation: The University should develop and implement a process to ensure that monthly Direct Loan reconciliation is performed. This process should incorporate the use of School Account Statement as set forth in the regulations. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-004 Federal Agency: U.S. Department of Commerce AL Program: 11.307 Economic Adjustment Assistance Federal Award No.: 07 79 07557 Area: Special Tests and Provisions – Wage Rate Requirements Questioned Costs: $0 Criteria: 29 CFR 5.5(a)(3) requires weekly submission by contractor or subcontractor of certified payrolls for each week in which any Davis-Bacon Act- or Related Acts-covered work is performed, to the federal agency, if the agency is a party to the contract, or to the applicant, sponsor, owner, or other entity, as the case may be, that maintains such records, for transmission to the federal agency. The 2024 Compliance Supplement requires auditors to determine whether the nonfederal entity obtained copies of certified payrolls. Condition: The University is a party to a construction contract and did not obtain copies of certified payrolls in a timely manner. During the fiscal year 2024, the University incurred approximately $2.3 million of expenditures related to the contract. Cause: The University does not have procedures and internal controls over the timely receipt of certified payrolls from contractors. Effect or Potential Effect: The University is not in compliance with the timely receipt of certified payrolls from contractors in accordance with 29 CFR 5.5. Recommendation: The University should establish and implement effective internal control to comply with the requirements of 29 CFR.5.5. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-005 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Enrollment Reporting Questioned Costs: $0 Criteria: OMB No. 1845-0035 require institutions of higher education to report enrollment information under the Pell grant and the Direct loan programs via the National Student Loan Data System (NSLDS). There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record and Program-Level Record data elements. Below are some of the data elements that are considered to be high risk by ED. Campus-Level Record data: • Enrollment Effective Date – The date that the current enrollment status reported for a student was first effective. • Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Certification Date – The Date enrollment certified by institution. At a minimum, institutions are required to certify enrollment every 60 days or every other month. Program-Level Record data: • Program Begin Date – The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. • Program Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Program Enrollment Effective Date – The date when the student's current program status first took effect. Condition: For 40 samples we tested for above attributes, we noted that: (1) 16 samples inaccurately reported the Enrollment Effective Date. (2) 7 samples inaccurately reported the Enrollment Status. These include 4 out of 4 graduated student samples being reported as withdrawn (W). (3) 35 samples have not been certified within atleast 60 days. (4) 20 samples inaccurately reported the Program Begin Date. (5) 7 samples inaccurately reported the Program Enrollment Status. (6) 20 samples inaccurately reported the Program Enrollment Effective Date. Cause: There is no review procedures performed to ensure that reported information to NSLDS are accurate. Effect or potential effect: The University is not compliance with enrollment reporting requirements to NSLDS. Recommendation: The University should develop and implement review procedures to ensure that reported Campus-Level data and Program-Level data via NSLDS are accurate and agree to the University’s records. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-005 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Enrollment Reporting Questioned Costs: $0 Criteria: OMB No. 1845-0035 require institutions of higher education to report enrollment information under the Pell grant and the Direct loan programs via the National Student Loan Data System (NSLDS). There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record and Program-Level Record data elements. Below are some of the data elements that are considered to be high risk by ED. Campus-Level Record data: • Enrollment Effective Date – The date that the current enrollment status reported for a student was first effective. • Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Certification Date – The Date enrollment certified by institution. At a minimum, institutions are required to certify enrollment every 60 days or every other month. Program-Level Record data: • Program Begin Date – The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. • Program Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Program Enrollment Effective Date – The date when the student's current program status first took effect. Condition: For 40 samples we tested for above attributes, we noted that: (1) 16 samples inaccurately reported the Enrollment Effective Date. (2) 7 samples inaccurately reported the Enrollment Status. These include 4 out of 4 graduated student samples being reported as withdrawn (W). (3) 35 samples have not been certified within atleast 60 days. (4) 20 samples inaccurately reported the Program Begin Date. (5) 7 samples inaccurately reported the Program Enrollment Status. (6) 20 samples inaccurately reported the Program Enrollment Effective Date. Cause: There is no review procedures performed to ensure that reported information to NSLDS are accurate. Effect or potential effect: The University is not compliance with enrollment reporting requirements to NSLDS. Recommendation: The University should develop and implement review procedures to ensure that reported Campus-Level data and Program-Level data via NSLDS are accurate and agree to the University’s records. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-005 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Enrollment Reporting Questioned Costs: $0 Criteria: OMB No. 1845-0035 require institutions of higher education to report enrollment information under the Pell grant and the Direct loan programs via the National Student Loan Data System (NSLDS). There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record and Program-Level Record data elements. Below are some of the data elements that are considered to be high risk by ED. Campus-Level Record data: • Enrollment Effective Date – The date that the current enrollment status reported for a student was first effective. • Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Certification Date – The Date enrollment certified by institution. At a minimum, institutions are required to certify enrollment every 60 days or every other month. Program-Level Record data: • Program Begin Date – The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. • Program Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Program Enrollment Effective Date – The date when the student's current program status first took effect. Condition: For 40 samples we tested for above attributes, we noted that: (1) 16 samples inaccurately reported the Enrollment Effective Date. (2) 7 samples inaccurately reported the Enrollment Status. These include 4 out of 4 graduated student samples being reported as withdrawn (W). (3) 35 samples have not been certified within atleast 60 days. (4) 20 samples inaccurately reported the Program Begin Date. (5) 7 samples inaccurately reported the Program Enrollment Status. (6) 20 samples inaccurately reported the Program Enrollment Effective Date. Cause: There is no review procedures performed to ensure that reported information to NSLDS are accurate. Effect or potential effect: The University is not compliance with enrollment reporting requirements to NSLDS. Recommendation: The University should develop and implement review procedures to ensure that reported Campus-Level data and Program-Level data via NSLDS are accurate and agree to the University’s records. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-005 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Enrollment Reporting Questioned Costs: $0 Criteria: OMB No. 1845-0035 require institutions of higher education to report enrollment information under the Pell grant and the Direct loan programs via the National Student Loan Data System (NSLDS). There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record and Program-Level Record data elements. Below are some of the data elements that are considered to be high risk by ED. Campus-Level Record data: • Enrollment Effective Date – The date that the current enrollment status reported for a student was first effective. • Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Certification Date – The Date enrollment certified by institution. At a minimum, institutions are required to certify enrollment every 60 days or every other month. Program-Level Record data: • Program Begin Date – The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. • Program Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Program Enrollment Effective Date – The date when the student's current program status first took effect. Condition: For 40 samples we tested for above attributes, we noted that: (1) 16 samples inaccurately reported the Enrollment Effective Date. (2) 7 samples inaccurately reported the Enrollment Status. These include 4 out of 4 graduated student samples being reported as withdrawn (W). (3) 35 samples have not been certified within atleast 60 days. (4) 20 samples inaccurately reported the Program Begin Date. (5) 7 samples inaccurately reported the Program Enrollment Status. (6) 20 samples inaccurately reported the Program Enrollment Effective Date. Cause: There is no review procedures performed to ensure that reported information to NSLDS are accurate. Effect or potential effect: The University is not compliance with enrollment reporting requirements to NSLDS. Recommendation: The University should develop and implement review procedures to ensure that reported Campus-Level data and Program-Level data via NSLDS are accurate and agree to the University’s records. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-005 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Enrollment Reporting Questioned Costs: $0 Criteria: OMB No. 1845-0035 require institutions of higher education to report enrollment information under the Pell grant and the Direct loan programs via the National Student Loan Data System (NSLDS). There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record and Program-Level Record data elements. Below are some of the data elements that are considered to be high risk by ED. Campus-Level Record data: • Enrollment Effective Date – The date that the current enrollment status reported for a student was first effective. • Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Certification Date – The Date enrollment certified by institution. At a minimum, institutions are required to certify enrollment every 60 days or every other month. Program-Level Record data: • Program Begin Date – The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. • Program Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Program Enrollment Effective Date – The date when the student's current program status first took effect. Condition: For 40 samples we tested for above attributes, we noted that: (1) 16 samples inaccurately reported the Enrollment Effective Date. (2) 7 samples inaccurately reported the Enrollment Status. These include 4 out of 4 graduated student samples being reported as withdrawn (W). (3) 35 samples have not been certified within atleast 60 days. (4) 20 samples inaccurately reported the Program Begin Date. (5) 7 samples inaccurately reported the Program Enrollment Status. (6) 20 samples inaccurately reported the Program Enrollment Effective Date. Cause: There is no review procedures performed to ensure that reported information to NSLDS are accurate. Effect or potential effect: The University is not compliance with enrollment reporting requirements to NSLDS. Recommendation: The University should develop and implement review procedures to ensure that reported Campus-Level data and Program-Level data via NSLDS are accurate and agree to the University’s records. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-006 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Reporting Questioned Costs: $0 Criteria: To participate in the Federal Perkins Loan, Federal Work-Study (FWS) or Federal Supplemental Educational Opportunity Grants (FSEOG) programs and when administering such programs, an institution should submit the following reports. (1) Application to participate as required by 34 CFR 673.3 (2) Fiscal Operations Report as required by 34 CFR 674.19, 34 CFR 675.19 and 34 CFR 676.19 The Fiscal Operations Report covers the most recently completed award year (award year runs from July 1 to June 30) and the Application to Participate is for the award year subsequent to the current award year. Based on the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25 Instructions (“instructions”) published by ED, some of the key line items that contain critical information should be reported as follows: 1. Part II (Application), Section D, Line 7: Total number of students for schools with a traditional calendar Schools that operate on a traditional academic calendar, or that have a majority of their eligible programs operating on a traditional calendar, must enter an unduplicated number of all postsecondary students enrolled (full time and less than full time) for the twelve-month period ending June 30, 2023. “Unduplicated” means each student is counted/reported only ONCE, regardless of how many terms a student is enrolled. 2. Part II (Application), Section E, Line 22: Total tuition and fees The tuition and fees revenue must be only for those students reported in Section D and should not include tuition and fees revenue collected from individuals not meeting Section D’s description of an enrolled student. If a student enrolled as an undergraduate during an earlier term in 2022–23 but enrolled as a graduate student in a subsequent term in 2022–23, divide the tuition and fees revenue between columns (a) (undergraduate) and (b) (graduate) in proportion to the time spent in each type of class. “Tuition and fees assessed” means: • amounts you charged and collected; • amounts you charged but did not collect; • remissions or waivers of costs (for example, your school waives a book fee for all low-income students); and • the types of fees included in the cost of attendance, as allowed under Part F, Section 472(1) of the Higher Education Act of 1965, as amended. 3. Part II (Application), Section E, Line 23: Total Federal Pell Grant expenditures The institution should report the total amount expended against its Federal Pell Grant 2022–23 award year authorization. This amount should agree with the final cumulative expenditures for the 2022–23 award year as entered in G5. Any Pell expenditure adjustments for the 2022–23 award year in G5 after filing this FISAP must also be made upon submission of edit corrections, due by December 15, 2023. Condition: Based on our testing of the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25, we have noted the following: 1. Reported information on Part II (Application), Section D, Line 7 do not agree with University’s records. 2. We were unable to verify that the amount reported in Part II (Application), Section E, Line 22 is in compliance with aforementioned criteria. 3. Reported amount on Part II (Application), Section E, Line 23 is higher by $57,139 compared to final cumulative expenditures for the 2022–23 award year as entered in G5. Cause: There is no review procedures performed to ensure that information is accurately reported based on FISAP instructions. Effect or potential effect: The University is not in compliance with the reporting requirements for the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25. Recommendation: The University should designate responsible personnel to review the accuracy of reported information. At a minimum, review procedures should include obtaining and checking the details supporting the reported information to ensure that they are accurately reported based on FISAP instructions. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-006 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Reporting Questioned Costs: $0 Criteria: To participate in the Federal Perkins Loan, Federal Work-Study (FWS) or Federal Supplemental Educational Opportunity Grants (FSEOG) programs and when administering such programs, an institution should submit the following reports. (1) Application to participate as required by 34 CFR 673.3 (2) Fiscal Operations Report as required by 34 CFR 674.19, 34 CFR 675.19 and 34 CFR 676.19 The Fiscal Operations Report covers the most recently completed award year (award year runs from July 1 to June 30) and the Application to Participate is for the award year subsequent to the current award year. Based on the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25 Instructions (“instructions”) published by ED, some of the key line items that contain critical information should be reported as follows: 1. Part II (Application), Section D, Line 7: Total number of students for schools with a traditional calendar Schools that operate on a traditional academic calendar, or that have a majority of their eligible programs operating on a traditional calendar, must enter an unduplicated number of all postsecondary students enrolled (full time and less than full time) for the twelve-month period ending June 30, 2023. “Unduplicated” means each student is counted/reported only ONCE, regardless of how many terms a student is enrolled. 2. Part II (Application), Section E, Line 22: Total tuition and fees The tuition and fees revenue must be only for those students reported in Section D and should not include tuition and fees revenue collected from individuals not meeting Section D’s description of an enrolled student. If a student enrolled as an undergraduate during an earlier term in 2022–23 but enrolled as a graduate student in a subsequent term in 2022–23, divide the tuition and fees revenue between columns (a) (undergraduate) and (b) (graduate) in proportion to the time spent in each type of class. “Tuition and fees assessed” means: • amounts you charged and collected; • amounts you charged but did not collect; • remissions or waivers of costs (for example, your school waives a book fee for all low-income students); and • the types of fees included in the cost of attendance, as allowed under Part F, Section 472(1) of the Higher Education Act of 1965, as amended. 3. Part II (Application), Section E, Line 23: Total Federal Pell Grant expenditures The institution should report the total amount expended against its Federal Pell Grant 2022–23 award year authorization. This amount should agree with the final cumulative expenditures for the 2022–23 award year as entered in G5. Any Pell expenditure adjustments for the 2022–23 award year in G5 after filing this FISAP must also be made upon submission of edit corrections, due by December 15, 2023. Condition: Based on our testing of the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25, we have noted the following: 1. Reported information on Part II (Application), Section D, Line 7 do not agree with University’s records. 2. We were unable to verify that the amount reported in Part II (Application), Section E, Line 22 is in compliance with aforementioned criteria. 3. Reported amount on Part II (Application), Section E, Line 23 is higher by $57,139 compared to final cumulative expenditures for the 2022–23 award year as entered in G5. Cause: There is no review procedures performed to ensure that information is accurately reported based on FISAP instructions. Effect or potential effect: The University is not in compliance with the reporting requirements for the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25. Recommendation: The University should designate responsible personnel to review the accuracy of reported information. At a minimum, review procedures should include obtaining and checking the details supporting the reported information to ensure that they are accurately reported based on FISAP instructions. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-006 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Reporting Questioned Costs: $0 Criteria: To participate in the Federal Perkins Loan, Federal Work-Study (FWS) or Federal Supplemental Educational Opportunity Grants (FSEOG) programs and when administering such programs, an institution should submit the following reports. (1) Application to participate as required by 34 CFR 673.3 (2) Fiscal Operations Report as required by 34 CFR 674.19, 34 CFR 675.19 and 34 CFR 676.19 The Fiscal Operations Report covers the most recently completed award year (award year runs from July 1 to June 30) and the Application to Participate is for the award year subsequent to the current award year. Based on the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25 Instructions (“instructions”) published by ED, some of the key line items that contain critical information should be reported as follows: 1. Part II (Application), Section D, Line 7: Total number of students for schools with a traditional calendar Schools that operate on a traditional academic calendar, or that have a majority of their eligible programs operating on a traditional calendar, must enter an unduplicated number of all postsecondary students enrolled (full time and less than full time) for the twelve-month period ending June 30, 2023. “Unduplicated” means each student is counted/reported only ONCE, regardless of how many terms a student is enrolled. 2. Part II (Application), Section E, Line 22: Total tuition and fees The tuition and fees revenue must be only for those students reported in Section D and should not include tuition and fees revenue collected from individuals not meeting Section D’s description of an enrolled student. If a student enrolled as an undergraduate during an earlier term in 2022–23 but enrolled as a graduate student in a subsequent term in 2022–23, divide the tuition and fees revenue between columns (a) (undergraduate) and (b) (graduate) in proportion to the time spent in each type of class. “Tuition and fees assessed” means: • amounts you charged and collected; • amounts you charged but did not collect; • remissions or waivers of costs (for example, your school waives a book fee for all low-income students); and • the types of fees included in the cost of attendance, as allowed under Part F, Section 472(1) of the Higher Education Act of 1965, as amended. 3. Part II (Application), Section E, Line 23: Total Federal Pell Grant expenditures The institution should report the total amount expended against its Federal Pell Grant 2022–23 award year authorization. This amount should agree with the final cumulative expenditures for the 2022–23 award year as entered in G5. Any Pell expenditure adjustments for the 2022–23 award year in G5 after filing this FISAP must also be made upon submission of edit corrections, due by December 15, 2023. Condition: Based on our testing of the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25, we have noted the following: 1. Reported information on Part II (Application), Section D, Line 7 do not agree with University’s records. 2. We were unable to verify that the amount reported in Part II (Application), Section E, Line 22 is in compliance with aforementioned criteria. 3. Reported amount on Part II (Application), Section E, Line 23 is higher by $57,139 compared to final cumulative expenditures for the 2022–23 award year as entered in G5. Cause: There is no review procedures performed to ensure that information is accurately reported based on FISAP instructions. Effect or potential effect: The University is not in compliance with the reporting requirements for the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25. Recommendation: The University should designate responsible personnel to review the accuracy of reported information. At a minimum, review procedures should include obtaining and checking the details supporting the reported information to ensure that they are accurately reported based on FISAP instructions. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-006 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Reporting Questioned Costs: $0 Criteria: To participate in the Federal Perkins Loan, Federal Work-Study (FWS) or Federal Supplemental Educational Opportunity Grants (FSEOG) programs and when administering such programs, an institution should submit the following reports. (1) Application to participate as required by 34 CFR 673.3 (2) Fiscal Operations Report as required by 34 CFR 674.19, 34 CFR 675.19 and 34 CFR 676.19 The Fiscal Operations Report covers the most recently completed award year (award year runs from July 1 to June 30) and the Application to Participate is for the award year subsequent to the current award year. Based on the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25 Instructions (“instructions”) published by ED, some of the key line items that contain critical information should be reported as follows: 1. Part II (Application), Section D, Line 7: Total number of students for schools with a traditional calendar Schools that operate on a traditional academic calendar, or that have a majority of their eligible programs operating on a traditional calendar, must enter an unduplicated number of all postsecondary students enrolled (full time and less than full time) for the twelve-month period ending June 30, 2023. “Unduplicated” means each student is counted/reported only ONCE, regardless of how many terms a student is enrolled. 2. Part II (Application), Section E, Line 22: Total tuition and fees The tuition and fees revenue must be only for those students reported in Section D and should not include tuition and fees revenue collected from individuals not meeting Section D’s description of an enrolled student. If a student enrolled as an undergraduate during an earlier term in 2022–23 but enrolled as a graduate student in a subsequent term in 2022–23, divide the tuition and fees revenue between columns (a) (undergraduate) and (b) (graduate) in proportion to the time spent in each type of class. “Tuition and fees assessed” means: • amounts you charged and collected; • amounts you charged but did not collect; • remissions or waivers of costs (for example, your school waives a book fee for all low-income students); and • the types of fees included in the cost of attendance, as allowed under Part F, Section 472(1) of the Higher Education Act of 1965, as amended. 3. Part II (Application), Section E, Line 23: Total Federal Pell Grant expenditures The institution should report the total amount expended against its Federal Pell Grant 2022–23 award year authorization. This amount should agree with the final cumulative expenditures for the 2022–23 award year as entered in G5. Any Pell expenditure adjustments for the 2022–23 award year in G5 after filing this FISAP must also be made upon submission of edit corrections, due by December 15, 2023. Condition: Based on our testing of the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25, we have noted the following: 1. Reported information on Part II (Application), Section D, Line 7 do not agree with University’s records. 2. We were unable to verify that the amount reported in Part II (Application), Section E, Line 22 is in compliance with aforementioned criteria. 3. Reported amount on Part II (Application), Section E, Line 23 is higher by $57,139 compared to final cumulative expenditures for the 2022–23 award year as entered in G5. Cause: There is no review procedures performed to ensure that information is accurately reported based on FISAP instructions. Effect or potential effect: The University is not in compliance with the reporting requirements for the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25. Recommendation: The University should designate responsible personnel to review the accuracy of reported information. At a minimum, review procedures should include obtaining and checking the details supporting the reported information to ensure that they are accurately reported based on FISAP instructions. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-006 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Reporting Questioned Costs: $0 Criteria: To participate in the Federal Perkins Loan, Federal Work-Study (FWS) or Federal Supplemental Educational Opportunity Grants (FSEOG) programs and when administering such programs, an institution should submit the following reports. (1) Application to participate as required by 34 CFR 673.3 (2) Fiscal Operations Report as required by 34 CFR 674.19, 34 CFR 675.19 and 34 CFR 676.19 The Fiscal Operations Report covers the most recently completed award year (award year runs from July 1 to June 30) and the Application to Participate is for the award year subsequent to the current award year. Based on the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25 Instructions (“instructions”) published by ED, some of the key line items that contain critical information should be reported as follows: 1. Part II (Application), Section D, Line 7: Total number of students for schools with a traditional calendar Schools that operate on a traditional academic calendar, or that have a majority of their eligible programs operating on a traditional calendar, must enter an unduplicated number of all postsecondary students enrolled (full time and less than full time) for the twelve-month period ending June 30, 2023. “Unduplicated” means each student is counted/reported only ONCE, regardless of how many terms a student is enrolled. 2. Part II (Application), Section E, Line 22: Total tuition and fees The tuition and fees revenue must be only for those students reported in Section D and should not include tuition and fees revenue collected from individuals not meeting Section D’s description of an enrolled student. If a student enrolled as an undergraduate during an earlier term in 2022–23 but enrolled as a graduate student in a subsequent term in 2022–23, divide the tuition and fees revenue between columns (a) (undergraduate) and (b) (graduate) in proportion to the time spent in each type of class. “Tuition and fees assessed” means: • amounts you charged and collected; • amounts you charged but did not collect; • remissions or waivers of costs (for example, your school waives a book fee for all low-income students); and • the types of fees included in the cost of attendance, as allowed under Part F, Section 472(1) of the Higher Education Act of 1965, as amended. 3. Part II (Application), Section E, Line 23: Total Federal Pell Grant expenditures The institution should report the total amount expended against its Federal Pell Grant 2022–23 award year authorization. This amount should agree with the final cumulative expenditures for the 2022–23 award year as entered in G5. Any Pell expenditure adjustments for the 2022–23 award year in G5 after filing this FISAP must also be made upon submission of edit corrections, due by December 15, 2023. Condition: Based on our testing of the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25, we have noted the following: 1. Reported information on Part II (Application), Section D, Line 7 do not agree with University’s records. 2. We were unable to verify that the amount reported in Part II (Application), Section E, Line 22 is in compliance with aforementioned criteria. 3. Reported amount on Part II (Application), Section E, Line 23 is higher by $57,139 compared to final cumulative expenditures for the 2022–23 award year as entered in G5. Cause: There is no review procedures performed to ensure that information is accurately reported based on FISAP instructions. Effect or potential effect: The University is not in compliance with the reporting requirements for the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25. Recommendation: The University should designate responsible personnel to review the accuracy of reported information. At a minimum, review procedures should include obtaining and checking the details supporting the reported information to ensure that they are accurately reported based on FISAP instructions. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-002 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Disbursements to or on Behalf of Students Questioned Costs: $0 Criteria: 34 CFR 668.164 (h) provides that a Title IV credit balance occurs whenever the amount of title IV program funds credited to a student's ledger account for a payment period exceeds the amount assessed the student for allowable charges associated with that payment period. A title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than – • Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or • Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition: For 9 (or 23%) of 40 samples tested, Title IV credit balances were not paid to the students within the prescribed timelines. Cause: The University does not monitor payment of credit balances within the prescribed timelines per federal regulations. Effect or potential effect: The University is not in compliance with 2 CFR 668.164 (h). Recommendation: The University should develop and implement internal controls whereby payment of credit balances to students in accordance with the prescribed timelines are monitored and documented. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-002 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Disbursements to or on Behalf of Students Questioned Costs: $0 Criteria: 34 CFR 668.164 (h) provides that a Title IV credit balance occurs whenever the amount of title IV program funds credited to a student's ledger account for a payment period exceeds the amount assessed the student for allowable charges associated with that payment period. A title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than – • Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or • Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition: For 9 (or 23%) of 40 samples tested, Title IV credit balances were not paid to the students within the prescribed timelines. Cause: The University does not monitor payment of credit balances within the prescribed timelines per federal regulations. Effect or potential effect: The University is not in compliance with 2 CFR 668.164 (h). Recommendation: The University should develop and implement internal controls whereby payment of credit balances to students in accordance with the prescribed timelines are monitored and documented. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-002 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Disbursements to or on Behalf of Students Questioned Costs: $0 Criteria: 34 CFR 668.164 (h) provides that a Title IV credit balance occurs whenever the amount of title IV program funds credited to a student's ledger account for a payment period exceeds the amount assessed the student for allowable charges associated with that payment period. A title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than – • Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or • Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition: For 9 (or 23%) of 40 samples tested, Title IV credit balances were not paid to the students within the prescribed timelines. Cause: The University does not monitor payment of credit balances within the prescribed timelines per federal regulations. Effect or potential effect: The University is not in compliance with 2 CFR 668.164 (h). Recommendation: The University should develop and implement internal controls whereby payment of credit balances to students in accordance with the prescribed timelines are monitored and documented. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-002 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Disbursements to or on Behalf of Students Questioned Costs: $0 Criteria: 34 CFR 668.164 (h) provides that a Title IV credit balance occurs whenever the amount of title IV program funds credited to a student's ledger account for a payment period exceeds the amount assessed the student for allowable charges associated with that payment period. A title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than – • Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or • Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition: For 9 (or 23%) of 40 samples tested, Title IV credit balances were not paid to the students within the prescribed timelines. Cause: The University does not monitor payment of credit balances within the prescribed timelines per federal regulations. Effect or potential effect: The University is not in compliance with 2 CFR 668.164 (h). Recommendation: The University should develop and implement internal controls whereby payment of credit balances to students in accordance with the prescribed timelines are monitored and documented. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-002 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Disbursements to or on Behalf of Students Questioned Costs: $0 Criteria: 34 CFR 668.164 (h) provides that a Title IV credit balance occurs whenever the amount of title IV program funds credited to a student's ledger account for a payment period exceeds the amount assessed the student for allowable charges associated with that payment period. A title IV credit balance must be paid directly to the student or parent as soon as possible, but no later than – • Fourteen (14) days after the balance occurred if the credit balance occurred after the first day of class of a payment period; or • Fourteen (14) days after the first day of class of a payment period if the credit balance occurred on or before the first day of class of that payment period. Condition: For 9 (or 23%) of 40 samples tested, Title IV credit balances were not paid to the students within the prescribed timelines. Cause: The University does not monitor payment of credit balances within the prescribed timelines per federal regulations. Effect or potential effect: The University is not in compliance with 2 CFR 668.164 (h). Recommendation: The University should develop and implement internal controls whereby payment of credit balances to students in accordance with the prescribed timelines are monitored and documented. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-003 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Cash Management Questioned Costs: $0 Criteria: 34 CFR 685.300(b)(5) requires that on a monthly basis, a school must reconcile institutional records with Direct Loan funds received from the U.S. Department of Education (ED) and Direct Loan disbursement records submitted to and accepted by the ED. ED’s Electronic Announcements DL-22-07 and GENERAL-22-86 explain that a school must reconcile the funds it received from G5 with actual disbursement records the school submitted to Common Origination and Disbursement (COD) system. Each month, COD sends the school a School Account Statement, which is ED’s official record of the school’s cash and disbursement records and identifies the difference between the net draws from G5 and the actual disbursement information reported to COD by the school. The school is required to account for any differences by reconciling ED’s records (School Account Statements) with the school’s financial and business records. Condition: For 4 (or 100%) of 4 months selected for testing, the University has not performed monthly Direct Loan reconciliations as prescribed by regulations. Cause: The University does not utilize the School Account Statements as part of its Direct Loan Reconciliation process. Further, there are no review procedures in place to ensure that monthly Direct Loan reconciliations are performed. Effect or Potential Effect: The University is not in compliance with the monthly Direct Loan reconciliation requirements. Recommendation: The University should develop and implement a process to ensure that monthly Direct Loan reconciliation is performed. This process should incorporate the use of School Account Statement as set forth in the regulations. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-003 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Cash Management Questioned Costs: $0 Criteria: 34 CFR 685.300(b)(5) requires that on a monthly basis, a school must reconcile institutional records with Direct Loan funds received from the U.S. Department of Education (ED) and Direct Loan disbursement records submitted to and accepted by the ED. ED’s Electronic Announcements DL-22-07 and GENERAL-22-86 explain that a school must reconcile the funds it received from G5 with actual disbursement records the school submitted to Common Origination and Disbursement (COD) system. Each month, COD sends the school a School Account Statement, which is ED’s official record of the school’s cash and disbursement records and identifies the difference between the net draws from G5 and the actual disbursement information reported to COD by the school. The school is required to account for any differences by reconciling ED’s records (School Account Statements) with the school’s financial and business records. Condition: For 4 (or 100%) of 4 months selected for testing, the University has not performed monthly Direct Loan reconciliations as prescribed by regulations. Cause: The University does not utilize the School Account Statements as part of its Direct Loan Reconciliation process. Further, there are no review procedures in place to ensure that monthly Direct Loan reconciliations are performed. Effect or Potential Effect: The University is not in compliance with the monthly Direct Loan reconciliation requirements. Recommendation: The University should develop and implement a process to ensure that monthly Direct Loan reconciliation is performed. This process should incorporate the use of School Account Statement as set forth in the regulations. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-003 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Cash Management Questioned Costs: $0 Criteria: 34 CFR 685.300(b)(5) requires that on a monthly basis, a school must reconcile institutional records with Direct Loan funds received from the U.S. Department of Education (ED) and Direct Loan disbursement records submitted to and accepted by the ED. ED’s Electronic Announcements DL-22-07 and GENERAL-22-86 explain that a school must reconcile the funds it received from G5 with actual disbursement records the school submitted to Common Origination and Disbursement (COD) system. Each month, COD sends the school a School Account Statement, which is ED’s official record of the school’s cash and disbursement records and identifies the difference between the net draws from G5 and the actual disbursement information reported to COD by the school. The school is required to account for any differences by reconciling ED’s records (School Account Statements) with the school’s financial and business records. Condition: For 4 (or 100%) of 4 months selected for testing, the University has not performed monthly Direct Loan reconciliations as prescribed by regulations. Cause: The University does not utilize the School Account Statements as part of its Direct Loan Reconciliation process. Further, there are no review procedures in place to ensure that monthly Direct Loan reconciliations are performed. Effect or Potential Effect: The University is not in compliance with the monthly Direct Loan reconciliation requirements. Recommendation: The University should develop and implement a process to ensure that monthly Direct Loan reconciliation is performed. This process should incorporate the use of School Account Statement as set forth in the regulations. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-003 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Cash Management Questioned Costs: $0 Criteria: 34 CFR 685.300(b)(5) requires that on a monthly basis, a school must reconcile institutional records with Direct Loan funds received from the U.S. Department of Education (ED) and Direct Loan disbursement records submitted to and accepted by the ED. ED’s Electronic Announcements DL-22-07 and GENERAL-22-86 explain that a school must reconcile the funds it received from G5 with actual disbursement records the school submitted to Common Origination and Disbursement (COD) system. Each month, COD sends the school a School Account Statement, which is ED’s official record of the school’s cash and disbursement records and identifies the difference between the net draws from G5 and the actual disbursement information reported to COD by the school. The school is required to account for any differences by reconciling ED’s records (School Account Statements) with the school’s financial and business records. Condition: For 4 (or 100%) of 4 months selected for testing, the University has not performed monthly Direct Loan reconciliations as prescribed by regulations. Cause: The University does not utilize the School Account Statements as part of its Direct Loan Reconciliation process. Further, there are no review procedures in place to ensure that monthly Direct Loan reconciliations are performed. Effect or Potential Effect: The University is not in compliance with the monthly Direct Loan reconciliation requirements. Recommendation: The University should develop and implement a process to ensure that monthly Direct Loan reconciliation is performed. This process should incorporate the use of School Account Statement as set forth in the regulations. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-003 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Cash Management Questioned Costs: $0 Criteria: 34 CFR 685.300(b)(5) requires that on a monthly basis, a school must reconcile institutional records with Direct Loan funds received from the U.S. Department of Education (ED) and Direct Loan disbursement records submitted to and accepted by the ED. ED’s Electronic Announcements DL-22-07 and GENERAL-22-86 explain that a school must reconcile the funds it received from G5 with actual disbursement records the school submitted to Common Origination and Disbursement (COD) system. Each month, COD sends the school a School Account Statement, which is ED’s official record of the school’s cash and disbursement records and identifies the difference between the net draws from G5 and the actual disbursement information reported to COD by the school. The school is required to account for any differences by reconciling ED’s records (School Account Statements) with the school’s financial and business records. Condition: For 4 (or 100%) of 4 months selected for testing, the University has not performed monthly Direct Loan reconciliations as prescribed by regulations. Cause: The University does not utilize the School Account Statements as part of its Direct Loan Reconciliation process. Further, there are no review procedures in place to ensure that monthly Direct Loan reconciliations are performed. Effect or Potential Effect: The University is not in compliance with the monthly Direct Loan reconciliation requirements. Recommendation: The University should develop and implement a process to ensure that monthly Direct Loan reconciliation is performed. This process should incorporate the use of School Account Statement as set forth in the regulations. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-004 Federal Agency: U.S. Department of Commerce AL Program: 11.307 Economic Adjustment Assistance Federal Award No.: 07 79 07557 Area: Special Tests and Provisions – Wage Rate Requirements Questioned Costs: $0 Criteria: 29 CFR 5.5(a)(3) requires weekly submission by contractor or subcontractor of certified payrolls for each week in which any Davis-Bacon Act- or Related Acts-covered work is performed, to the federal agency, if the agency is a party to the contract, or to the applicant, sponsor, owner, or other entity, as the case may be, that maintains such records, for transmission to the federal agency. The 2024 Compliance Supplement requires auditors to determine whether the nonfederal entity obtained copies of certified payrolls. Condition: The University is a party to a construction contract and did not obtain copies of certified payrolls in a timely manner. During the fiscal year 2024, the University incurred approximately $2.3 million of expenditures related to the contract. Cause: The University does not have procedures and internal controls over the timely receipt of certified payrolls from contractors. Effect or Potential Effect: The University is not in compliance with the timely receipt of certified payrolls from contractors in accordance with 29 CFR 5.5. Recommendation: The University should establish and implement effective internal control to comply with the requirements of 29 CFR.5.5. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-005 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Enrollment Reporting Questioned Costs: $0 Criteria: OMB No. 1845-0035 require institutions of higher education to report enrollment information under the Pell grant and the Direct loan programs via the National Student Loan Data System (NSLDS). There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record and Program-Level Record data elements. Below are some of the data elements that are considered to be high risk by ED. Campus-Level Record data: • Enrollment Effective Date – The date that the current enrollment status reported for a student was first effective. • Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Certification Date – The Date enrollment certified by institution. At a minimum, institutions are required to certify enrollment every 60 days or every other month. Program-Level Record data: • Program Begin Date – The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. • Program Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Program Enrollment Effective Date – The date when the student's current program status first took effect. Condition: For 40 samples we tested for above attributes, we noted that: (1) 16 samples inaccurately reported the Enrollment Effective Date. (2) 7 samples inaccurately reported the Enrollment Status. These include 4 out of 4 graduated student samples being reported as withdrawn (W). (3) 35 samples have not been certified within atleast 60 days. (4) 20 samples inaccurately reported the Program Begin Date. (5) 7 samples inaccurately reported the Program Enrollment Status. (6) 20 samples inaccurately reported the Program Enrollment Effective Date. Cause: There is no review procedures performed to ensure that reported information to NSLDS are accurate. Effect or potential effect: The University is not compliance with enrollment reporting requirements to NSLDS. Recommendation: The University should develop and implement review procedures to ensure that reported Campus-Level data and Program-Level data via NSLDS are accurate and agree to the University’s records. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-005 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Enrollment Reporting Questioned Costs: $0 Criteria: OMB No. 1845-0035 require institutions of higher education to report enrollment information under the Pell grant and the Direct loan programs via the National Student Loan Data System (NSLDS). There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record and Program-Level Record data elements. Below are some of the data elements that are considered to be high risk by ED. Campus-Level Record data: • Enrollment Effective Date – The date that the current enrollment status reported for a student was first effective. • Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Certification Date – The Date enrollment certified by institution. At a minimum, institutions are required to certify enrollment every 60 days or every other month. Program-Level Record data: • Program Begin Date – The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. • Program Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Program Enrollment Effective Date – The date when the student's current program status first took effect. Condition: For 40 samples we tested for above attributes, we noted that: (1) 16 samples inaccurately reported the Enrollment Effective Date. (2) 7 samples inaccurately reported the Enrollment Status. These include 4 out of 4 graduated student samples being reported as withdrawn (W). (3) 35 samples have not been certified within atleast 60 days. (4) 20 samples inaccurately reported the Program Begin Date. (5) 7 samples inaccurately reported the Program Enrollment Status. (6) 20 samples inaccurately reported the Program Enrollment Effective Date. Cause: There is no review procedures performed to ensure that reported information to NSLDS are accurate. Effect or potential effect: The University is not compliance with enrollment reporting requirements to NSLDS. Recommendation: The University should develop and implement review procedures to ensure that reported Campus-Level data and Program-Level data via NSLDS are accurate and agree to the University’s records. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-005 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Enrollment Reporting Questioned Costs: $0 Criteria: OMB No. 1845-0035 require institutions of higher education to report enrollment information under the Pell grant and the Direct loan programs via the National Student Loan Data System (NSLDS). There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record and Program-Level Record data elements. Below are some of the data elements that are considered to be high risk by ED. Campus-Level Record data: • Enrollment Effective Date – The date that the current enrollment status reported for a student was first effective. • Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Certification Date – The Date enrollment certified by institution. At a minimum, institutions are required to certify enrollment every 60 days or every other month. Program-Level Record data: • Program Begin Date – The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. • Program Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Program Enrollment Effective Date – The date when the student's current program status first took effect. Condition: For 40 samples we tested for above attributes, we noted that: (1) 16 samples inaccurately reported the Enrollment Effective Date. (2) 7 samples inaccurately reported the Enrollment Status. These include 4 out of 4 graduated student samples being reported as withdrawn (W). (3) 35 samples have not been certified within atleast 60 days. (4) 20 samples inaccurately reported the Program Begin Date. (5) 7 samples inaccurately reported the Program Enrollment Status. (6) 20 samples inaccurately reported the Program Enrollment Effective Date. Cause: There is no review procedures performed to ensure that reported information to NSLDS are accurate. Effect or potential effect: The University is not compliance with enrollment reporting requirements to NSLDS. Recommendation: The University should develop and implement review procedures to ensure that reported Campus-Level data and Program-Level data via NSLDS are accurate and agree to the University’s records. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-005 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Enrollment Reporting Questioned Costs: $0 Criteria: OMB No. 1845-0035 require institutions of higher education to report enrollment information under the Pell grant and the Direct loan programs via the National Student Loan Data System (NSLDS). There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record and Program-Level Record data elements. Below are some of the data elements that are considered to be high risk by ED. Campus-Level Record data: • Enrollment Effective Date – The date that the current enrollment status reported for a student was first effective. • Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Certification Date – The Date enrollment certified by institution. At a minimum, institutions are required to certify enrollment every 60 days or every other month. Program-Level Record data: • Program Begin Date – The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. • Program Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Program Enrollment Effective Date – The date when the student's current program status first took effect. Condition: For 40 samples we tested for above attributes, we noted that: (1) 16 samples inaccurately reported the Enrollment Effective Date. (2) 7 samples inaccurately reported the Enrollment Status. These include 4 out of 4 graduated student samples being reported as withdrawn (W). (3) 35 samples have not been certified within atleast 60 days. (4) 20 samples inaccurately reported the Program Begin Date. (5) 7 samples inaccurately reported the Program Enrollment Status. (6) 20 samples inaccurately reported the Program Enrollment Effective Date. Cause: There is no review procedures performed to ensure that reported information to NSLDS are accurate. Effect or potential effect: The University is not compliance with enrollment reporting requirements to NSLDS. Recommendation: The University should develop and implement review procedures to ensure that reported Campus-Level data and Program-Level data via NSLDS are accurate and agree to the University’s records. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-005 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Enrollment Reporting Questioned Costs: $0 Criteria: OMB No. 1845-0035 require institutions of higher education to report enrollment information under the Pell grant and the Direct loan programs via the National Student Loan Data System (NSLDS). There are two categories of enrollment information, “Campus Level” and “Program Level,” both of which need to be reported accurately and have separate record types. Institutions are responsible for accurately reporting all Campus-Level Record and Program-Level Record data elements. Below are some of the data elements that are considered to be high risk by ED. Campus-Level Record data: • Enrollment Effective Date – The date that the current enrollment status reported for a student was first effective. • Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Certification Date – The Date enrollment certified by institution. At a minimum, institutions are required to certify enrollment every 60 days or every other month. Program-Level Record data: • Program Begin Date – The Program Begin Date is the date the student first began attending the program being reported. Typically, this would be the first day of the term in which the student began enrollment in the program, unless the student enrolled in the program on an earlier date. • Program Enrollment Status – The student’s enrollment status as of the reporting date; full-time (F), three-quarter time (Q), half-time (H), less than half-time (L), leave of absence (A), graduated (G), withdrawn (W), deceased (D), never attended (X) and record not found (Z). • Program Enrollment Effective Date – The date when the student's current program status first took effect. Condition: For 40 samples we tested for above attributes, we noted that: (1) 16 samples inaccurately reported the Enrollment Effective Date. (2) 7 samples inaccurately reported the Enrollment Status. These include 4 out of 4 graduated student samples being reported as withdrawn (W). (3) 35 samples have not been certified within atleast 60 days. (4) 20 samples inaccurately reported the Program Begin Date. (5) 7 samples inaccurately reported the Program Enrollment Status. (6) 20 samples inaccurately reported the Program Enrollment Effective Date. Cause: There is no review procedures performed to ensure that reported information to NSLDS are accurate. Effect or potential effect: The University is not compliance with enrollment reporting requirements to NSLDS. Recommendation: The University should develop and implement review procedures to ensure that reported Campus-Level data and Program-Level data via NSLDS are accurate and agree to the University’s records. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-006 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Reporting Questioned Costs: $0 Criteria: To participate in the Federal Perkins Loan, Federal Work-Study (FWS) or Federal Supplemental Educational Opportunity Grants (FSEOG) programs and when administering such programs, an institution should submit the following reports. (1) Application to participate as required by 34 CFR 673.3 (2) Fiscal Operations Report as required by 34 CFR 674.19, 34 CFR 675.19 and 34 CFR 676.19 The Fiscal Operations Report covers the most recently completed award year (award year runs from July 1 to June 30) and the Application to Participate is for the award year subsequent to the current award year. Based on the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25 Instructions (“instructions”) published by ED, some of the key line items that contain critical information should be reported as follows: 1. Part II (Application), Section D, Line 7: Total number of students for schools with a traditional calendar Schools that operate on a traditional academic calendar, or that have a majority of their eligible programs operating on a traditional calendar, must enter an unduplicated number of all postsecondary students enrolled (full time and less than full time) for the twelve-month period ending June 30, 2023. “Unduplicated” means each student is counted/reported only ONCE, regardless of how many terms a student is enrolled. 2. Part II (Application), Section E, Line 22: Total tuition and fees The tuition and fees revenue must be only for those students reported in Section D and should not include tuition and fees revenue collected from individuals not meeting Section D’s description of an enrolled student. If a student enrolled as an undergraduate during an earlier term in 2022–23 but enrolled as a graduate student in a subsequent term in 2022–23, divide the tuition and fees revenue between columns (a) (undergraduate) and (b) (graduate) in proportion to the time spent in each type of class. “Tuition and fees assessed” means: • amounts you charged and collected; • amounts you charged but did not collect; • remissions or waivers of costs (for example, your school waives a book fee for all low-income students); and • the types of fees included in the cost of attendance, as allowed under Part F, Section 472(1) of the Higher Education Act of 1965, as amended. 3. Part II (Application), Section E, Line 23: Total Federal Pell Grant expenditures The institution should report the total amount expended against its Federal Pell Grant 2022–23 award year authorization. This amount should agree with the final cumulative expenditures for the 2022–23 award year as entered in G5. Any Pell expenditure adjustments for the 2022–23 award year in G5 after filing this FISAP must also be made upon submission of edit corrections, due by December 15, 2023. Condition: Based on our testing of the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25, we have noted the following: 1. Reported information on Part II (Application), Section D, Line 7 do not agree with University’s records. 2. We were unable to verify that the amount reported in Part II (Application), Section E, Line 22 is in compliance with aforementioned criteria. 3. Reported amount on Part II (Application), Section E, Line 23 is higher by $57,139 compared to final cumulative expenditures for the 2022–23 award year as entered in G5. Cause: There is no review procedures performed to ensure that information is accurately reported based on FISAP instructions. Effect or potential effect: The University is not in compliance with the reporting requirements for the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25. Recommendation: The University should designate responsible personnel to review the accuracy of reported information. At a minimum, review procedures should include obtaining and checking the details supporting the reported information to ensure that they are accurately reported based on FISAP instructions. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-006 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Reporting Questioned Costs: $0 Criteria: To participate in the Federal Perkins Loan, Federal Work-Study (FWS) or Federal Supplemental Educational Opportunity Grants (FSEOG) programs and when administering such programs, an institution should submit the following reports. (1) Application to participate as required by 34 CFR 673.3 (2) Fiscal Operations Report as required by 34 CFR 674.19, 34 CFR 675.19 and 34 CFR 676.19 The Fiscal Operations Report covers the most recently completed award year (award year runs from July 1 to June 30) and the Application to Participate is for the award year subsequent to the current award year. Based on the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25 Instructions (“instructions”) published by ED, some of the key line items that contain critical information should be reported as follows: 1. Part II (Application), Section D, Line 7: Total number of students for schools with a traditional calendar Schools that operate on a traditional academic calendar, or that have a majority of their eligible programs operating on a traditional calendar, must enter an unduplicated number of all postsecondary students enrolled (full time and less than full time) for the twelve-month period ending June 30, 2023. “Unduplicated” means each student is counted/reported only ONCE, regardless of how many terms a student is enrolled. 2. Part II (Application), Section E, Line 22: Total tuition and fees The tuition and fees revenue must be only for those students reported in Section D and should not include tuition and fees revenue collected from individuals not meeting Section D’s description of an enrolled student. If a student enrolled as an undergraduate during an earlier term in 2022–23 but enrolled as a graduate student in a subsequent term in 2022–23, divide the tuition and fees revenue between columns (a) (undergraduate) and (b) (graduate) in proportion to the time spent in each type of class. “Tuition and fees assessed” means: • amounts you charged and collected; • amounts you charged but did not collect; • remissions or waivers of costs (for example, your school waives a book fee for all low-income students); and • the types of fees included in the cost of attendance, as allowed under Part F, Section 472(1) of the Higher Education Act of 1965, as amended. 3. Part II (Application), Section E, Line 23: Total Federal Pell Grant expenditures The institution should report the total amount expended against its Federal Pell Grant 2022–23 award year authorization. This amount should agree with the final cumulative expenditures for the 2022–23 award year as entered in G5. Any Pell expenditure adjustments for the 2022–23 award year in G5 after filing this FISAP must also be made upon submission of edit corrections, due by December 15, 2023. Condition: Based on our testing of the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25, we have noted the following: 1. Reported information on Part II (Application), Section D, Line 7 do not agree with University’s records. 2. We were unable to verify that the amount reported in Part II (Application), Section E, Line 22 is in compliance with aforementioned criteria. 3. Reported amount on Part II (Application), Section E, Line 23 is higher by $57,139 compared to final cumulative expenditures for the 2022–23 award year as entered in G5. Cause: There is no review procedures performed to ensure that information is accurately reported based on FISAP instructions. Effect or potential effect: The University is not in compliance with the reporting requirements for the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25. Recommendation: The University should designate responsible personnel to review the accuracy of reported information. At a minimum, review procedures should include obtaining and checking the details supporting the reported information to ensure that they are accurately reported based on FISAP instructions. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-006 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Reporting Questioned Costs: $0 Criteria: To participate in the Federal Perkins Loan, Federal Work-Study (FWS) or Federal Supplemental Educational Opportunity Grants (FSEOG) programs and when administering such programs, an institution should submit the following reports. (1) Application to participate as required by 34 CFR 673.3 (2) Fiscal Operations Report as required by 34 CFR 674.19, 34 CFR 675.19 and 34 CFR 676.19 The Fiscal Operations Report covers the most recently completed award year (award year runs from July 1 to June 30) and the Application to Participate is for the award year subsequent to the current award year. Based on the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25 Instructions (“instructions”) published by ED, some of the key line items that contain critical information should be reported as follows: 1. Part II (Application), Section D, Line 7: Total number of students for schools with a traditional calendar Schools that operate on a traditional academic calendar, or that have a majority of their eligible programs operating on a traditional calendar, must enter an unduplicated number of all postsecondary students enrolled (full time and less than full time) for the twelve-month period ending June 30, 2023. “Unduplicated” means each student is counted/reported only ONCE, regardless of how many terms a student is enrolled. 2. Part II (Application), Section E, Line 22: Total tuition and fees The tuition and fees revenue must be only for those students reported in Section D and should not include tuition and fees revenue collected from individuals not meeting Section D’s description of an enrolled student. If a student enrolled as an undergraduate during an earlier term in 2022–23 but enrolled as a graduate student in a subsequent term in 2022–23, divide the tuition and fees revenue between columns (a) (undergraduate) and (b) (graduate) in proportion to the time spent in each type of class. “Tuition and fees assessed” means: • amounts you charged and collected; • amounts you charged but did not collect; • remissions or waivers of costs (for example, your school waives a book fee for all low-income students); and • the types of fees included in the cost of attendance, as allowed under Part F, Section 472(1) of the Higher Education Act of 1965, as amended. 3. Part II (Application), Section E, Line 23: Total Federal Pell Grant expenditures The institution should report the total amount expended against its Federal Pell Grant 2022–23 award year authorization. This amount should agree with the final cumulative expenditures for the 2022–23 award year as entered in G5. Any Pell expenditure adjustments for the 2022–23 award year in G5 after filing this FISAP must also be made upon submission of edit corrections, due by December 15, 2023. Condition: Based on our testing of the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25, we have noted the following: 1. Reported information on Part II (Application), Section D, Line 7 do not agree with University’s records. 2. We were unable to verify that the amount reported in Part II (Application), Section E, Line 22 is in compliance with aforementioned criteria. 3. Reported amount on Part II (Application), Section E, Line 23 is higher by $57,139 compared to final cumulative expenditures for the 2022–23 award year as entered in G5. Cause: There is no review procedures performed to ensure that information is accurately reported based on FISAP instructions. Effect or potential effect: The University is not in compliance with the reporting requirements for the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25. Recommendation: The University should designate responsible personnel to review the accuracy of reported information. At a minimum, review procedures should include obtaining and checking the details supporting the reported information to ensure that they are accurately reported based on FISAP instructions. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-006 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Reporting Questioned Costs: $0 Criteria: To participate in the Federal Perkins Loan, Federal Work-Study (FWS) or Federal Supplemental Educational Opportunity Grants (FSEOG) programs and when administering such programs, an institution should submit the following reports. (1) Application to participate as required by 34 CFR 673.3 (2) Fiscal Operations Report as required by 34 CFR 674.19, 34 CFR 675.19 and 34 CFR 676.19 The Fiscal Operations Report covers the most recently completed award year (award year runs from July 1 to June 30) and the Application to Participate is for the award year subsequent to the current award year. Based on the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25 Instructions (“instructions”) published by ED, some of the key line items that contain critical information should be reported as follows: 1. Part II (Application), Section D, Line 7: Total number of students for schools with a traditional calendar Schools that operate on a traditional academic calendar, or that have a majority of their eligible programs operating on a traditional calendar, must enter an unduplicated number of all postsecondary students enrolled (full time and less than full time) for the twelve-month period ending June 30, 2023. “Unduplicated” means each student is counted/reported only ONCE, regardless of how many terms a student is enrolled. 2. Part II (Application), Section E, Line 22: Total tuition and fees The tuition and fees revenue must be only for those students reported in Section D and should not include tuition and fees revenue collected from individuals not meeting Section D’s description of an enrolled student. If a student enrolled as an undergraduate during an earlier term in 2022–23 but enrolled as a graduate student in a subsequent term in 2022–23, divide the tuition and fees revenue between columns (a) (undergraduate) and (b) (graduate) in proportion to the time spent in each type of class. “Tuition and fees assessed” means: • amounts you charged and collected; • amounts you charged but did not collect; • remissions or waivers of costs (for example, your school waives a book fee for all low-income students); and • the types of fees included in the cost of attendance, as allowed under Part F, Section 472(1) of the Higher Education Act of 1965, as amended. 3. Part II (Application), Section E, Line 23: Total Federal Pell Grant expenditures The institution should report the total amount expended against its Federal Pell Grant 2022–23 award year authorization. This amount should agree with the final cumulative expenditures for the 2022–23 award year as entered in G5. Any Pell expenditure adjustments for the 2022–23 award year in G5 after filing this FISAP must also be made upon submission of edit corrections, due by December 15, 2023. Condition: Based on our testing of the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25, we have noted the following: 1. Reported information on Part II (Application), Section D, Line 7 do not agree with University’s records. 2. We were unable to verify that the amount reported in Part II (Application), Section E, Line 22 is in compliance with aforementioned criteria. 3. Reported amount on Part II (Application), Section E, Line 23 is higher by $57,139 compared to final cumulative expenditures for the 2022–23 award year as entered in G5. Cause: There is no review procedures performed to ensure that information is accurately reported based on FISAP instructions. Effect or potential effect: The University is not in compliance with the reporting requirements for the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25. Recommendation: The University should designate responsible personnel to review the accuracy of reported information. At a minimum, review procedures should include obtaining and checking the details supporting the reported information to ensure that they are accurately reported based on FISAP instructions. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Finding No.: 2024-006 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Reporting Questioned Costs: $0 Criteria: To participate in the Federal Perkins Loan, Federal Work-Study (FWS) or Federal Supplemental Educational Opportunity Grants (FSEOG) programs and when administering such programs, an institution should submit the following reports. (1) Application to participate as required by 34 CFR 673.3 (2) Fiscal Operations Report as required by 34 CFR 674.19, 34 CFR 675.19 and 34 CFR 676.19 The Fiscal Operations Report covers the most recently completed award year (award year runs from July 1 to June 30) and the Application to Participate is for the award year subsequent to the current award year. Based on the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25 Instructions (“instructions”) published by ED, some of the key line items that contain critical information should be reported as follows: 1. Part II (Application), Section D, Line 7: Total number of students for schools with a traditional calendar Schools that operate on a traditional academic calendar, or that have a majority of their eligible programs operating on a traditional calendar, must enter an unduplicated number of all postsecondary students enrolled (full time and less than full time) for the twelve-month period ending June 30, 2023. “Unduplicated” means each student is counted/reported only ONCE, regardless of how many terms a student is enrolled. 2. Part II (Application), Section E, Line 22: Total tuition and fees The tuition and fees revenue must be only for those students reported in Section D and should not include tuition and fees revenue collected from individuals not meeting Section D’s description of an enrolled student. If a student enrolled as an undergraduate during an earlier term in 2022–23 but enrolled as a graduate student in a subsequent term in 2022–23, divide the tuition and fees revenue between columns (a) (undergraduate) and (b) (graduate) in proportion to the time spent in each type of class. “Tuition and fees assessed” means: • amounts you charged and collected; • amounts you charged but did not collect; • remissions or waivers of costs (for example, your school waives a book fee for all low-income students); and • the types of fees included in the cost of attendance, as allowed under Part F, Section 472(1) of the Higher Education Act of 1965, as amended. 3. Part II (Application), Section E, Line 23: Total Federal Pell Grant expenditures The institution should report the total amount expended against its Federal Pell Grant 2022–23 award year authorization. This amount should agree with the final cumulative expenditures for the 2022–23 award year as entered in G5. Any Pell expenditure adjustments for the 2022–23 award year in G5 after filing this FISAP must also be made upon submission of edit corrections, due by December 15, 2023. Condition: Based on our testing of the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25, we have noted the following: 1. Reported information on Part II (Application), Section D, Line 7 do not agree with University’s records. 2. We were unable to verify that the amount reported in Part II (Application), Section E, Line 22 is in compliance with aforementioned criteria. 3. Reported amount on Part II (Application), Section E, Line 23 is higher by $57,139 compared to final cumulative expenditures for the 2022–23 award year as entered in G5. Cause: There is no review procedures performed to ensure that information is accurately reported based on FISAP instructions. Effect or potential effect: The University is not in compliance with the reporting requirements for the Fiscal Operations Report for 2022-23 and Application to Participate for 2024-25. Recommendation: The University should designate responsible personnel to review the accuracy of reported information. At a minimum, review procedures should include obtaining and checking the details supporting the reported information to ensure that they are accurately reported based on FISAP instructions. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.