Corrective Action Plans

The County will implement additional review procedures.

The original preparer will provide the report prior to submission to the United States Department of Treasury each quarter to another employee in the Administration office to cross reference totals from New World financial software system and information provided from the Auditor's Office. A written report on findings of this review will be submitted to the Auditor's Office by the due date of the submission to the United States Department of the Treasury.

The District will utilize DESE's Federal & State Grant Manual document as a guide to ensure compliance with grant management.

To ensure compliance with the provisions of the Gramm-Leach-Bliley Act (GLBA), specifically the requirement that the District’s written Enterprise Data Governance Standard (EDGS) includes a description of the use of a data inventory that includes how the institution is identifying and managing data, personnel, devices, systems and facilities, management has revised the EDGS to specify that a data inventory for each functional system domain shall take place annually under the direction of the Data Owners and the procedures performed and results shall be adequately documented. Implementation Date: August 2024 Responsible Persons: Phong Banh, District Director of Information Technology Services Patrick Vrba, Controller

Corrective Action Plan For the Fiscal Year Ended August 31, 2023 Finding 2023-002 – Special Tests and Provisions – Enrollment Reporting Name of contact person responsible for corrective action: John Carrescia, jcarresc@wagner.edu; 718-420-4264 Corrective action: The College has been working diligently across multiple departments on campus to make these historical corrections. We have identified the various groupings of students that require correction, and have worked through our historical data to update the program begin date (campus level data) to be the first day of the earliest semester for which each student began attending their respective program. We have submitted the listings to the National Student Clearinghouse for revision. We currently have a process in place and are working collaboratively with our information technology system analysts to implement controls to ensure the correct program begin date is used for all future students entering the College. We are currently in the process of reviewing and updating our program level enrollment data. Proposed Completion Date: August 31, 2024

Name of Responsible Individual: Dylan Nowakowski Assistant Director of Financial Aid Corrective Action: For one of two reconciliations tested we were unable to provide documentation that the reconciliation was done. The reconciliation was done, however, there was a server error in the system that caused Wheeling to lose some files. Two of the reconciliation files are missing due to this. We have a Financial Aid Office policy that has been established to ensure that reconciliations are made once a month. Since the loss of the backup system, the files are both saved and printed to avoid any more loss of files. During this period, we were using a now-defunct backup system. We have now moved to multiple backup systems and a new storage server. Our storage server is now a virtual machine with a high availability setup where we have 2 large drive systems continually being mirrored. The backup system has 2 servers with large drive systems. We continually alternate file backups each day as needed. As the backups finish, they are moved up to the cloud each time. Also, we have in place a 30-day non-overwrite policy on the files backed up to the cloud. Anticipated Completion Date: July 2022

Name of Responsible Individual: Tracy Jenkins, Student Accounts Corrective Action: We recognized that students were not receiving the Right to Cancel notifications in a timely manner. We also understood the need for students to receive this information to make an important educational/fiscal decision. As of September 2023, on a monthly basis, notifications were sent to student University emails and parent’s personal email (Plus Loan recipients) informing them of their Right to Cancel. Anticipated Completion Date: September 2023

Name of Responsible Individual: Shelia Yates-Mattingly, Registrar Corrective Action: In response to Finding 2023-005, Wheeling University will continue the enrollment reporting process that was implemented in October 2023, which was in response to Finding 2022-005. With the stability of staffing in the Registrar’s Office and Financial Aid Office and the level of experience and competence of this staff, enrollment reporting has been completed within the parameters of regulatory guidelines. The Registrar’s Office submits enrollment reports as scheduled and subsequent error resolution reports as appropriate. The Financial Aid Office reviews identified NSLDS errors, corrects and resubmits them timely. Regularly scheduled meetings, including the Registrar’s and Financial Aid Offices, continue as noted in corrective action for Finding 2022-005. These meetings serve as the platform to discuss and address identified enrollment reporting concerns/issues timely, resulting in improved accuracy in enrollment reporting and timeliness in error resolution. Anticipated Completion Date: The current process has been in place since October 2023 and is ongoing.

Name of Responsible Individual: Tracy Jenkins, Student Accounts Corrective Action: Wheeling University worked with ECSI regarding Perkins information. With the Perkins program ending, we realized that we needed to move in the direction of closing out Perkins files/information. The University is currently working with ECSI so that we are able to submit Perkins information/files to the Department of Education. We are gathering information (promissory notes, bankruptcy details, payment information, etc.) to assist ECSI with the process. Anticipated Completion Date: May 2024

Name of Responsible Individual: Dylan Nowakowski, Assistant Director of Financial Aid Corrective Action: In the past, Colleague was not used to calculate return to title IV. Once Colleague was properly set up for Financial Aid, the Associate Director discovered that the calendars did not match the actual publicized academic calendar. Had the calendar been accurate with the correct dates of breaks of 5 days or more, Colleague would not have accepted a withdrawal date during the break. This error within the system should not be counted as a finding. The calendar in Colleague is now correct. All breaks that are five days or more are accurate. At Wheeling, we have a comprehensive R2T4 policy. This policy outlines how to count calendar days in a semester and provides clear instructions on what to do when a student withdraws during a break. Anticipated Completion Date: July 2023

Name of Responsible Individual: Tyler Hosey, Senior Accountant Corrective Action: The University acknowledges that the internal controls surrounding the cash management of the Federal Research and Development Programs was not in compliance for federal standards. The University is in the process of enhancing the internal controls and cash management procedures to prevent this from happening in the future. Going forward all federal grant funds that are allocated for the Challenger Learning Center will go directly into the appropriate bank account and will be drawn down and spent in the correct time frame. When operating expenses are incurred for the Challenger Learning Center the payment will be processed from the University’s general checking and the federal grant funds will reimburse the University that day. The same is also true for the payroll expenses incurred by the Challenger Learning Center. Wages will be paid out of the university’s general checking account and then reimbursed to the university from the bank account that hold the federal grant funds. Anticipated Completion Date: June 2024

In order to address this audit finding, CMN financial aid staff plans to seek continual improvement in the areas relating to Pell calculations. Through both Federal Student Aid and National Association of Financial Aid Administrators (NASFAA), staff will complete trainings to understand all aspects of calculating awards, as well as staying up to date on regulatory changes through our student information system. In addition to more training in this area, priority will be placed on rechecking and auditing Pell awards so that they are reviewed during the award year. Staff has already begun reviewing fall 2023 Pell awards for accuracy and will continue to review awards as terms move forward.

During the year, the Board utilized an approved procurement method for these services.

During the year, the Board utilized an approved procurement method for these services.

Special Tests and Provisions: Return of Title IV funds for withdrawn students (Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011) Name of contact person responsible for corrective action plan: Rhett R. Vertrees, Assistant Chief Financial Officer 2601 Enterprise Road, Reno NV 89512-1666 Phone: (775)784-3409, Fax: (775)784-1127 Email: rvertrees@nshe.nevada.edu Responses CSN agrees with the findings. • Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place; CSN has started to select additional team members to cross train with seasoned R2T4 team members on the processing of R2T4 files. This will ensure that files are processed in a timely manner and meet compliance requirements. Additionally, training opportunities will be assessed and offered to the team members who are processing R2T4 records on an ongoing basis. Additionally, CSN is currently assessing a potential 3rd party vendor to assist with the processing of R2T4s as needed on an ongoing basis. • How compliance and performance will be measured and documented for future audit, management and performance review. Cross training and workshop opportunities will be provided to ensure knowledge and compliance for the R2T4 team and any staff member assisting with processing of R2T4 records. Queries will be utilized to track R2T4 files to ensure timely processing. • Who will be responsible and may be held accountable in the future if repeat or similar observations are noted. The Assistant Director of Financial Aid will be responsible and may be held accountable.

Internal Control over Compliance (Repeat Finding 2022-001, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002, 2015-002, 2014-008) Name of contact person responsible for corrective action plan: Rhett R. Vertrees, Assistant Chief Financial Officer 2601 Enterprise Road, Reno NV 89512-1666 Phone: (775)784-3409, Fax: (775)784-1127 Email: rvertrees@nshe.nevada.edu Responses UNR agrees with the findings • Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place; The technical staff can only have the PeopleSoft Administrator (PSA) role in either development or production, but not both. There is an approval process in place to ensure that access is removed from either development or production when a PSA needs to be moved across to the other environment. This process became effective March 1, 2023. There is a quarterly security review of the PeopleSoft Administrator role in PeopleSoft. The first quarterly review was performed in FY16 Q1 and has been performed each quarter since. The reviews are documented and approved. There is a quarterly security review of the PeopleSoft Administrator activities in PeopleSoft. The first quarterly review was performed in FY22 Q4 and has been performed each quarter since. The reviews are documented and approved. There is a quarterly security review of the PeopleSoft Oracle database and user access. The first quarterly review was performed in FY20 Q2 and has been performed each quarter since. The reviews are documented and approved. • How compliance and performance will be measured and documented for future audit, management and performance review. Compliance and performance can be measured by the documented quarterly reviews. • Who will be responsible and may be held accountable in the future if repeat or similar observations are noted. The PeopleSoft Manager will be responsible for ensuring the corrective actions plans are implemented and followed. The Vice President of Information Technology will be accountable for the department’s compliance. UNLV agrees with the finding. • Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place; UNLV understands the importance of adequate segregation of duties within the PeopleSoft environments and applications. The PeopleSoft Administrator (PSA) position that is the subject of the finding is responsible for the installation, configuration, upgrades, and troubleshooting of all the application environments. The PeopleSoft Administrators are not programmers/developers, and their access to the production environments is periodically required to perform the needed activities required to provide timely support of the application within the scope of their job duties. UNLV has implemented the following controls to mitigate the risks associated with the elevated access required for the administrators to perform their required support activities. 1. UNLV has removed all persistent assignment of the PeopleSoft Administrator role from all PSAs in all environments. 2. The PeopleSoft Administrator role is temporarily assigned only when elevated actions are required. All assignments are of a limited duration and include a justification detailing the need and actions to be performed. All assignments trigger the follow actions: a. An immediate notification to the Director of Business Continuity & Resiliency and the Interim Senior Associate Vice Provost for Digital Strategy and Transformation. b. Removal is automatic but can be initiated by PSA if work is completed sooner than expected. c. All details around the assignment are captured in a tracking table. d. A review of all assignments and activities is performed monthly. 3. UNLV will continue to review access, activities, and assigned privileges monthly for the PeopleSoft Administrators. 4. UNLV will continue researching and implementing other control methods that may strengthen the segregation of duties or the monitoring capabilities that are available. • How compliance and performance will be measured and documented for future audit, management and performance review. The PeopleSoft Administrator role is no longer persistently assigned to the PSA position. It is only assigned upon request with the knowledge and approval of approving authorities. UNLV performs monthly reviews of the access and activities to determine if the PeopleSoft Administrators' activities align with the necessary support. Additionally, UNLV will continue to research other control methods that will address the segregation of duties while providing appropriate service and support. • Who will be responsible and may be held accountable in the future if repeat or similar observations are noted. The Director of Business Continuity & Resiliency will be responsible for performing the activity reviews and access needs of the PeopleSoft Administrators. The Director will complete the reviews and is also accountable if repeat or similar observations are noted. The Chief Information Security Officer will verify that reviews are conducted on a monthly basis per audit practices. SCS agrees with the findings • Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place; In addition to the compensating controls (a) to (d), that have been operating since prior to FY23 the segregation of PeopleSoft Administrators (PSA) is enforced through a “locked account” process. Only two employees have PSA access in both the Production and Development environment. Each employee can only have access to the Production or Development environment at any one time, i.e., the PSA account in the other environment remains locked. A JIRA ticket must be opened for an account to be unlocked. The request is approved by management and the account is unlocked by a member of the IT Security Team. The controls listed below should also mitigate the segregation of duties risk and support a review of “user activities” in the absence of an appropriate user activities audit log function. (a) STAT for PeopleSoft – Code control and internal modification tracking provides visibility over PSA activities that are processed via this tool. These object changes are reviewed and approved by the Director of Information and Application Services. (b) JIRA ‐ Change control management and project tracking software. Change requests and projects related to the PeopleSoft shared instance are tracked and approved. This would include user access modifications and system updates for example. (c) Security e‐mail alerts – The SCS security team are alerted via automated e‐mails when key events are triggered. For example, an elevated role is assigned to a user. (d) User Access Reviews – On an annual basis an independent user access review is performed incorporating SCS/SA privileged users and all shared instance security coordinators. • How compliance and performance will be measured and documented for future audit, management and performance review. The PeopleSoft Administrators will have persistent unlocked access to either the Production or Development environments only. Their corresponding account in the other environment will remain locked. In the event that access is needed to the locked environment, a ticket will be created requesting access which will document the rationale and approvals. In addition, PSA activities are monitored via the change control process through STAT for PeopleSoft. Object changes within the Production environment for example, are approved along with the associated workflows. • Who will be responsible and may be held accountable in the future if repeat or similar observations are noted. The SCS Director of Information and Application Services, and SCS Security Group are responsible for locking/unlocking PSA accounts. The SCS Security Group monitor PeopleSoft e-mail alerts. The IT Audit Manager is performing annual SCS/SA privileged user access reviews.

CORRECTIVE ACTION PLAN FOR FINDINGS REPORTED UNDER UNIFORM GUIDANCE Lyle School District No. 406 September 1, 2022 through August 31, 2023 This schedule presents the corrective action the District is planning to take for findings included in this report in accordance with Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Finding ref number: 2023-001 Finding caption: The District did not have adequate internal controls for ensuring compliance with federal wage rate requirements. Name, address, and telephone of District contact person: Susan Carabin, Business Manager PO Box 368 Lyle, WA 98635 (509) 365-2191 Corrective action the auditee plans to take in response to the finding: Since learning of the requirement regarding payroll reports, the District immediately asked our contractor to build a shared file that contains the certified weekly payroll reports. We now download and document the reports once per week. Anticipated date to complete the corrective action: 3/28/2024

Audit Finding Reference: 2023 - 001 Planned Corrective Action: At this time, all files selected for the audit have corresponding records successfully submitted to the Department of Housing and Urban Development through the PIH Information Center ("PIC") submission portal. BRHP will continue weekly PIC submissions and clearing of fatal errors. The late PIC submissions identified were a result of late 50058 approvals which resulted in late PIC submission. The 50058's were uploaded to PIC within 5 days of the approval. BRHP monitors 50058's related to moves in a weekly leasing report. In addition, BRHP meets biweekly to discuss the report. BRHP will monitor the weekly leasing report to review the lease effective dates to HAP executed dates to ensure the actions are approved timely. Name of Contact Person: FaShaunDa Walton, Housing Mobility Director Anticipated completion date: June 30, 2024

Coronavirus State and Local Fiscal Recovery Funds – 21.027 Recommendation: We recommend the Organization adopt a written procurement policy to be used when selecting vendors. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action planned/taken in response to finding: Willis Dady’s Executive Director and Facilities Director will develop a written procurement process for approval from the agency Finance Committee and Board of Directors. Name(s) of the contact person(s) responsible for corrective action: Alicia Faust, Executive Director Planned completion date for corrective action plan: 6/3/2024 If there are questions regarding this plan, please call Alicia Faust, Executive Director at 319-362-7555. Willis Dady Emergency Shelter, Inc. respectfully submits the following summary schedule of prior audit findings for the year ended December 31, 2023. Audit period: January 1, 2023 – December 31, 2023 The findings from the prior audit’s schedule of findings and questioned costs are discussed below. The findings are numbered consistently with the numbers assigned in the prior year.

Finding Number: 2023-003 – Procurement/Full and open competition Anticipated Completion Date: April 2024 Responsible Contact Person: Jocelyn Lombardozzi Planned Corrective Action: In response to this finding, an analysis of 2023 labor charged to awards was conducted. The results of the analysis revealed that a net amount of $35,238 more could have been charged to the awards which the Company will not pursue charging to the awards. An analysis of labor charged to awards active in the first quarter of 2024 has also been performed to ensure that active awards are being charged according to employee’s actual pay. As of April 1, 2024, the Company has transitioned to a new accounting system. This system is configured to require employees working on sponsored projects to utilize percentage of effort and effort certification functionality for tracking actual time and actual labor costs to awards. Budgeted labor rates are no longer being used as of April 1, 2024.

The District will contact DESE for guidance regarding the failure to comply with The Davis­ Bacon Act for contracts written using Federal funds. The District will also implement proper controls over program expenditures

INVOICES: A copy of all invoices will be kept in the cafeteria. An employee of the District will review the invoices for allowable costs

3. Finding 2023-002 - Major Federal Award Programs Audit a. Comments on the Finding and Recommendation We concur with the auditors finding as follows: During the years ended July 31, 2019, 2020, 2021, 2022 and 2023 management did not repay the loan advanced from the reserve for replacements upon receipt of the Section 8 subsidy that was outstanding at July 31, 2018. The loan in the amount of $19,337 is deemed to be an unauthorized distribution. The amount due to the reserve for replacement has not been deposited as of the date of this report. b. Action(s) Taken or Planned on the Finding 2 Commencing in March 2024, a repayment plan has been put in place of four monthly installment payments to be made in the amount of $4,834.25 until the balance is paid in full.

Finding 2023-001 – Internal Control Deficiency Over Activities Allowed or Unallowed and Activities Allowed/Allowable Costs Federal Grantor: Department of Homeland Security; Federal Emergency Management Agency (FEMA) Assistance Listing No.: 97.036, Disaster Grants – Public Assistance (Presidentially Declared Disasters) Award Period of Performance: January 20, 2020 – May 11, 2023 Finding: Management did not consistently retain documentation evidencing the performance of controls to ensure allowable COVID-19 expenses were charged to the program. Corrective Action Plan: All of these deficiencies were related to the selections being more than 36 months old, which is past the current documentation retention policy of PVHMC for non-controlled substances and non-patient records. In order to ensure that documentation is retained for future audits, all FEMA related documentation that is still retained will be kept indefinitely to ensure compliance in future years. Person Responsible: Juli Hester, Chief Financial Officer Estimated Completion Date: May 31, 2024

2023-001 FINDING: Deficit Fund Balances Questioned Costs: None noted. Recommendation: We recommend the School continue to implement their plan to liquidate all remaining debt from the general fund. We also recommend they continue a vigilant oversight of all budgets of the School. Response: The current Business Manager is enforcing the CHS Policies that do not permit expenditures in excess of the approved budget without Board approval. In addition, the current Business Manager does not include any carryover from prior budgets in the existing budget until the audit is completed and the financial statements are reconciled. The Business Manager has restricted use of General Fund revenues to remedy the deficit, including income received by the School that is non-program income, and the School Board is responsible for monitoring expenditures monthly. ANTICIPATED COMPLETION DATE: June 30, 2025 PERSON(S) RESPONSIBLE: Leslie Cuny, Business Manager