Corrective Action Plans

Reference Number: 2024-001 Finding: Other Instance of Noncompliance and Significant Deficiency Status: In-progress Corrective Action: Following our analysis, we have concluded that adjusting our data transmission schedule to NSC will help prevent future last minute data anomalies, ensuring that a final transmission for the term always occurs after the end date of each term. Additionally, we have identified a potential issue where NSC may fail to send graduate records to NSLDS for students who immediately re-enroll in the subsequent semester. Due to timing between the submission from NSC to NSLDS, the newer enrollment appears to be overriding the previously sent graduation record, preventing the graduation record from being sent to NSLDS. To address this, we will create a dedicated report to identify students in this situation and manually update NSLDS with the missed graduation data. Finally, there were isolated cases where a historical date adjustment was made to generate an auxiliary outcome (e.g., a grade change of Withdrawal instead of Withdrawal Failing), which made it appear as though a record change wasn't submitted in a timely manner. For these, we will discontinue this practice and employ an alternative method to derive the desired outcome (e.g., additional grade change transactions input after the withdrawal with no date adjustment). Person(s) Responsible for Implementing: Mike Acosta, Institutional Analyst, Nathan Dugat, Registrar, Lynda McKendree, Dean of Scholarships and Financial Aid Implementation Date: 11/01/2024

Finding Number: 2024-002 – Approval of Payroll Expense Transactions Corrective Action Plan: A process was put in place in January 2024 to ensure that all principal approvals are documented in writing or electronic approval in the system which can be date stamped by the system. Payroll will not be run, nor grants submitted until proper approval is received. Personnel Responsible for Corrective Action: Nachum Golodner, Academica Director of Accounting Anticipated Completion Date: June 30, 2025

Responsible Officials: The acting Executive Director reported incident immediately and enforced quality improvement program in order to ensure that fraud, waste, and abuse do not occur.

Significant Deficiency Non-Compliance Finding 2024-004: Name of Contact Person: Jared Pyles, Finance Director Corrective Action: The City mistakenly reported budgeted costs rather than cumulative costs as part of the compliance reporting for ARPA Funds when closing several projects. The City will correct on its next reporting. Proposed Completion Date: Immediately.

2024‐001 Significant Deficiency: Return to Title IV Funds (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; Federal Pell Grant Program, ALN #84.063; Federal Supplemental Opportunity Grant Program, ALN #84.007; and TEACH Grant Program, ALN #84.379) Name of Contact Person The Director of Financial Aid, Christin Mustard, is responsible for the corrective action plan for this finding. Corrective Action Plan We agree with this finding. After review of this student’s Return to Title IV calculation, it was determined that upon beginning the calculation in the PowerFAIDS system, the Refresh button was not used which would have recalculated the completed days to include the 9-day Spring Break. After reviewing this procedure with PowerFAIDS, it was recommended that we also enter the withdrawal date on the R2T4 tab of the POE screen which forces the system to recalculate the completed days prior to beginning the R2T4 calculation. We have added this step to our Return to Title IV procedures. Anticipated Completion Date The corrected Return to Title IV calculation was completed, which resulted in an Unsubsidized loan return of $1,029. The loan funds were returned via the Common Origination and Disbursement (COD) system.

2024-003: Student Financial Audit Cluster - Reporting (Significant Deficiency) Corrective Action: Controls have been implemented to retain the documentation used in preparing the FISAP. All documentation for all pieces of the FISAP are now being stored electronically in a shared drive as well as on paper to be held in the Director’s office. Anticipated Completion Date: 9/13/2024 Contact Person: Laurie Johnstone

2024-005: Student Financial Audit Cluster - Special Tests and Provisions: Enrollment Reporting (Significant Deficiency) Corrective Action: Upon investigation, we discovered that even though Casper College is reporting our enrollment to the National Student Clearinghouse (NSC) in a timely fashion, those reports are not always being sent to the National Student Loan Data System (NSLDS) swiftly. We understand that NSC is a third-party servicer and ultimately, the institution is responsible for ensuring NSLDS is being updated properly. As a failsafe, Casper College has developed an internal audit procedure to manually update students in NSLDS to be in compliance with CFR 690.83. Anticipated Completion Date: 9/18/2024 Contact Person: Laurie Johnstone

2024-004: Student Financial Audit Cluster - Special Tests and Provisions: Disbursements to or on Behalf of Students (Significant Deficiency) Corrective Action: Casper College’s award notifications have been updated to include when funds will be disbursed. In addition, the award notifications reference the Important Dates URL on the Casper College website for parents and students to refer to that include award disbursement dates. Anticipated Completion Date: 9/6/2024 Contact Person: Laurie Johnstone

Management is cognizant of the Agency’s internal control structure and continues to evaluate cost effective opportunities to further improve segregation of duties. The Agency has strengthened the internal control structure in recent years by revising the roles and responsibilities of multiple positions within the accounting department. The Agency continues to identify and implement effective mitigating controls when possible. Current Agency procedures for journal entries include one position that is primarily responsible for preparation of journal entries and posting. The Agency is working on implementing procedures that involve program personnel assisting with preparation and/or review of journal entries. Name of responsible official: Nick Curran, Director of Business Operations Expected completion date: Ongoing, no formal expected completion date.

Internal controls will be created for reviewing the determination of eligibility for participation in the Emergency Rental Assistance Program.

Finding 2024-002 - Significant Deficiency: Enrollment Reporting Condition For 1 of 17 students tested, the student’s status was reported incorrectly to the National Student Loan Data System (NSLDS). The student graduated however was reported to NSLDS as withdrawn. The student’s status was also reported late, after 60 days. In addition, another student’s status was also reported late. The sample was not a statistically valid sample. Corrective Action Plan The school agrees with the finding. While the withdrawn status was reported for this specific student, the follow-up graduated status was not. This student completed the graduation requirements much later. The school has implemented improved communication between registrar and financial aid to be sure these later graduations are reported. In addition, the timeframe for sending monthly enrollment reports through the National Student Clearinghouse will be altered to improve timely reporting of all statuses. The late statuses were by only a few days and should be resolved by adjusting this timeline. Name(s) of Contact Person(s) Responsible for Corrective Action: Jeff Aalbers Anticipated Completion Date: January 31, 2025

Finding2024-001: FEDERAL WORK STUDY-WORKING DURING CLASS TIME Comments on Finding and Recommendation(s): We concur with this finding. Due to the error rate of FWS instances of noncompliance, the Institution should review and update its internal controls related to FWS to ensure that students are not working during scheduled class time and enhance communication between Federal Work Study supervisors and registration department to ensure instances of noncompliance do not recur. Action Taken or Planned: 1} The school IT department is setting up the WorkEasy clock in/clock out system for students to lock students out of being able to clock in during scheduled class times. 2} Supervisors will examine each time card to verify no student has worked during scheduled class hours unless as defined in Volume 6 Chapter 2: Working During Scheduled Class Time Prohibited - "Exceptions are permitted if an individual class is cancelled, if the instructor has excused the student from attending for a particular day, and if the student is receiving credit for employment in an internship, externship, or community work-study experience. Any such exemptions must be documented." Documentation will be provided before the work is approved to be classified and paid as FWS wages earned. 3} Supervisors will be trained and required to sign a policy at the beginning of each award year or upon hire that states students are not permitted to work during scheduled class hours unless they meet one of the documented exceptions in Volume 6 Chapter 2. By signing this policy, supervisors agree that they may be subject to disciplinary action if they fail to abide this policy.

Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Mount Mercy University’s information technology department has implemented an annual process to review access controls and ensure access is only provided to authorized individuals. Authorized users will only have access to sensitive information which is required to perform their roles and responsibilities. Name(s) of the contact person(s) responsible for corrective action: Curtis Sanders Planned completion date for corrective action plan: 06/30/2025

Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Item was in reference to Perkins Loans that were assigned to ED. While the University does not disagree with the fact that three MPN’s were unavailable, each were old Perkins Loans, and each were successfully assigned to ED utilizing alternative documentation, as suggested by ED. The University has a current process in place to retain all information in student files for a minimum of three years. Name(s) of the contact person(s) responsible for corrective action: Mark Freed Planned completion date for corrective action plan: 06/30/2025

Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: This process is being reviewed with the Registrar’s Office, as they complete enrollment reporting through the Clearinghouse. The University has found that some delays are happening due to the lack of federal aid at the initial time. For example, one student started in Fall 2023 and the University has documentation to reflect the student was reported to Clearinghouse within the required timeframe. However, the student had not completed Entrance Counseling or a Master Promissory Note, thus they had not received Title IV aid and were not included in the request file from NSLDS to the Clearinghouse. The University will continue to review and make appropriate changes to the current process. Name(s) of the contact person(s) responsible for corrective action: Mark Freed Planned completion date for corrective action plan: 06/30/2025

Federal Agency Name: Department of Housing and Urban Development Program Name: Section 242 – Mortgage Insurance - Hospitals Federal Financial Assistance Listing #: CFDA #14.128 Compliance Requirement: Special Tests and Provisions Finding Summary: During the fiscal year, the Organization entered into a 5-year lease on equipment. A financing lease is identified in the Mortgage Note Insured by HUD as the incurrence of additional indebtedness which, by terms of the agreement, should be approved by HUD in advance of entering into the finance lease agreement. Responsible Individuals: Jay Hodges, Chief Financial Officer Corrective Action Plan: Management will enhance internal controls to ensure additional indebtedness is approved by HUD in advance of entering into the finance lease agreement. Anticipated Completion Date: December 10, 2024

The Attendance and Records Center (ARC) team has put in place a process to check students with any cohort removal codes on a weekly basis, and ensure any required backup documentation is scanned into Aeries. Additionally, all staff received training on the Status Change form and the cohort exit codes that require backup documentation. The ACCESS Administrative Guidelines and Procedures Manual was also shared with staff, including section 3.9 addressing, "Documentation and Evidence Required in Order to Remove a Student from the High School Graduation Rate Cohort." All new staff will receive a copy of the manual. In response to the 2023-2024 audit additional measures have been taken in perpetuity: a) Every four weeks a sql query is run to find all cohort removal exit codes. Each one is confirmed or changed according to the documentation provided. b) Each year we re-train the enrollment staff to follow procedures in alignment with the state requirements. The meeting for this year was held on May 22, 2024 and it will be reviewed again in the Spring. c) Internal Policy and Procedure reflects not only the importance of proper documentation but provides details about what the documentation should be. These monitoring steps will ensure that this will not be a finding in the following year.

Federal Programs: Social Services Block Grant ( ALN 93.667) and Formula Grants for Rural Areas (ALN 20.509) Finding 2024-1: Significant Deficiency. Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: An effective internal control system was not in place to ensure compliance with requirements related to the grant agreement and the allowable costs and allowable activities compliance requirements. Cause: Allocations based on timesheets were not correctly calculated and therefore the splits were not correct. Effect: The failure to establish an effective internal control system placed the Agency at risk of noncompliance with the grant agreement and the compliance requirements. A lack of effective reviews could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by the review process not ensuring there was accurate reporting of the activities of the programs. Repeat Finding: This is not a repeat finding. Questioned Costs: There were no questioned costs identified. Recommendation: Add additional reviews or calculation checks to make sure the percentage of payroll is correctly split across the various grant awards based on time spent for each grant category. Views of responsible officials and planned corrective actions: Management is in agreement with the finding and has prepared a corrective action plan.

Views of Responsible Officials and Planned Corrective Actions: The deposits will be made as cash flows permits. The collection of tenant receivables and subsidy payments will improve as new property management team stabilizes operations by reducing turnover and increasing use of new property management system once fully implemented.

Views of Responsible Officials and Planned Corrective Actions: The planned corrective action did not take place as cash flow issues persist. The deposits will be made as cash flows permits. Inglis is in process of billing prior year amounts that are now in compliance and current year amounts.

Finding Reference Number: 2024-004 Initial Fiscal Year: 2023 Summary of Finding: Significant Deficiency: Disbursement Notifications (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; U.S. Department of Education, Teacher Education Assistance for College and Higher Education Grants, ALN #84.379) (Repeat Finding: 2023-005) In accordance with 34 CFR 668.165(a)(2), when a University credits a student’s account, the University must notify the student or parent of (i) the anticipated date and amount of the disbursement, (ii) the student’s or parent’s rights to cancel all or a portion of that loan or disbursement, and (iii) the procedures and time by which the student or parent must notify the University that he or she wishes to cancel the loan or disbursement. This communication must occur no earlier than 30 days before, and no later than seven days after, crediting the student’s ledger account at the institution if the institution does not obtain affirmative confirmation from the student. During the 2024 audit, it was noted that 13 of 38 students, or 34.2%, who had received Direct Loan funds and/or TEACH grant funds did not receive disbursement notifications due to a system failure. The failure was not noticed to be able to remedy the situation timely. The University should ensure system functionality periodically, specifically entering periods in which disbursements are concentrated, such as the beginning of the semester, to prevent lapses in mass. The University should also create a process to verify that disbursement notifications have been distributed as intended, so that any missed notices can be remedied timely. Entity’s Corrective Action Plan Corrective Action Plan Summary: The University has taken a comprehensive and proactive approach to address this issue through two key initiatives. First, we have instituted a robust audit process designed to ensure the integrity and functionality of the system responsible for documenting sent emails. This process enables us to systematically verify that the system is operating as intended. Second, we have deployed advanced software solutions that serve to mitigate the risk of similar issues arising in the future. These combined measures reflect our commitment to ensuring operational reliability and preventing recurrence. Anticipated Completion Date: October 1, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid

Finding Reference Number: 2024-003 Initial Fiscal Year: 2024 Summary of Finding: 2024-003 Significant Deficiency: Direct Loan Limits (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) In accordance with the Federal Student Aid Handbook, Volume 3, Chapter 3, you must determine an undergraduate student’s Pell Grant eligibility before originating a Direct Subsidized or Unsubsidized Loan for that student, and you must package Campus-Based funds and Direct Subsidized Loans before Direct Unsubsidized Loans. In addition, you must determine an undergraduate student’s maximum Direct Subsidized Loan eligibility before originating a Direct Unsubsidized Loan for the student. The student’s maximum annual loan limit increases as the student progresses to higher grade levels. During the audit, it was noted that the University did not fulfill maximum award of students’ Direct Subsidized Loan eligibility prior to awarding Unsubsidized Direct Loans for 3 of the 32 applicable students tested, which is a 9.4% error rate. This finding is monetary in nature. In the instances noted in testing, the total error is $5,983 in under-award. Extrapolation of this monetary error estimates a total potential error of $54,614. The University should institute processes and controls to ensure that the student eligibility is assessed properly based upon grade level progression and that maximum Subsidized Direct Loans are awarded prior to Unsubsidized Direct Loans, as this practice is more beneficial for the student. Entity’s Corrective Action Plan: Corrective Action Plan Summary: The University has determined that this finding was caused by a deficiency in the software’s calculation of the subsidized award. Specifically, the software failed to update the student’s records following changes in circumstances that impacted the calculation of financial need. In response, the University has conducted a thorough evaluation and implemented new software designed to address this issue and ensure accurate calculations in future cases. Anticipated Completion Date: November 1, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid.

Finding Reference Number: 2024-001 Initial Fiscal Year: 2023 Summary of Finding: Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-001) In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4 During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. An updated policy was put into place in July 2024, which addressed several of the deficiencies noted in the existing policy, but not all. The University should continue to update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively and timely. Entity’s Corrective Action Plan: The Johnson University IT Department has consistently worked to improve compliance with GLBA regulations since July 2023. The leadership of Johnson University has taken a proactive and measured approach to GLBA compliance that ensures a balance between reaching compliance quickly and reaching compliance with long-term strategic planning. This has led to a GLBA implementation that will take 2 or more years but will set up the university for long-term excellence in compliance and security. The University understands the importance of GLBA requirements and is committed to ensuring student data is protected from all foreseeable threats. It will continue to iterate on its GLBA corrective action plan to ensure proper compliance for long-term security. The Johnson University IT Department has developed a plan to address deficiencies in GLBA compliance in each of the following areas: Requirement 1 - Qualified Individual: 16 CFR 314.4(a) Johnson University has designated Tim Fisher as our Qualified Individual. Tim Fisher is an employee of Johnson University, serving in the IT Systems Analyst role, and will work alongside Johnson University’s IT Director to oversee the information security program and its implementation. While Tim has over 15 years of on-the-job cybersecurity experience, additional training resources have already been provided to Tim Fisher to pursue the CompTIA Security+ certification. Tim Fisher expects to complete the training and gain the certification by the end of 2025. This was deemed sufficient for GLBA compliance in the audit report provided by Blackburn, Childers & Steagall, PLC dated November 6, 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 2 - Risk Assessment: 16 CFR 314.4(b) Johnson University partnered with HORNE, a cybersecurity company, to conduct a risk assessment in November 2023. The assessment covered several topics and recorded inherent risk levels, existing mitigating controls, and the residual risk levels of each topic covered. Residual risk levels, the level of risk existing despite the existing controls, were found to be considered high in termination procedures and review of security logs. GLBA policy development and implementation decisions were based heavily on this initial risk assessment. A more comprehensive cybersecurity company with experience serving customers in Higher Education, DeapSeas, has been selected for ongoing cybersecurity assistance and will be conducting future risk assessments. Additional risk assessments are planned to be performed every 2 years to reexamine reasonably foreseeable risks and to account for changes in cybersecurity controls. The next risk assessment shall be completed by the end of 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 3.1 - Access Controls: 16 CFR 314.4(c)(1) Johnson University policy ensures that employee supervisors dictate appropriate access for each employee to the IT Department when they are hired or change positions. Supervisors are responsible for ensuring employees have appropriate access to locations where sensitive information is stored, such as file servers and Jenzabar (Student Information System) software access. The IT Department processes permission changes and does not provide permissions without explicit request from the employee supervisor. Auditing existing permissions is a weak spot that has, in the past, taken hours of manual work. We have purchased software, AD Manager, to assist with access reviews. We expect this software to be ready to audit necessary permission groups by the end of 2024. This should significantly reduce the time it takes to audit permissions through additional reporting and easy remediation features. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, instituting a continuous monitoring process undertaken at periodic intervals. The University has contracted with a new software to assist with this, which is expected to be live by December 31, 2024. Note from JU IT: Requirement 3.1, access control reviews, is complicated as each department supervisor is responsible for setting access permissions. The IT Department will need to engage department supervisors for review and approval. Due to the transition in the I.T. Director position, the expectation to be live should be adjusted to March 31, 2025. Requirement 3.2 – Data Identification: 16 CFR 314.4(c)(2) Informal identification has been completed by the IT Department through generalized asset inventory procedures. DeapSeas, our selected cybersecurity vendor, has been contracted to conduct a more formal data identification procedure in early 2025. This will identify critical items and analyze risks and responsibilities associated with each party. This procedure will take place through scanning the corporate network and interviewing departments on their data storage procedures. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Resolution to this matter is expected to be addressed and incorporated into the policy by December 31, 2024.” Note from JU IT: For requirement 3.2, data inventory, we’re already under contract with DeapSeas to do this. It will be completed by March 31, 2025. Requirement 3.3 – Encryption: 16 CFR 314.4(c)(3) Johnson University has had encryption in transit for several years but has not had encryption at rest. Johnson University purchased licenses to enable encryption at rest in October 2023 and finished a project to encrypt most virtual machines containing sensitive data using AES-256 and XTS-AES-256 encryption on April 29, 2024. The remaining virtual machines are planned to be encrypted before the end of 2024. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement.” Requirement 3.4 – Secure Development: 16 CFR 314.4(c)(4) Johnson University does not develop in-house applications for transmitting, accessing, or storing customer information. A combination of the risk assessment, vendor analysis, and penetration testing will assess the security of externally developed applications. The risk assessment has already been completed, but further vendor analysis and penetration testing are planned to be completed by the end of June 2025. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University does not develop in-house applications for transmitting, accessing, or storing customer information.” Requirement 3.5 – Multi-factor Authentication: 16 CFR 314.4(c)(5) Johnson University has enabled multi-factor authentication on all connections to the server where our student information system (Jenzabar One) is accessed. Multi-factor authentication is also enabled for all logins to Office 365 and integrated applications, such as Zoom videoconferencing, our student/employee portal, Jenzabar Financial Aid (financial aid management system), and Jenzabar Recruitment (admissions software). Multi-factor authentication is also enabled on connections to our administrative systems, such as our network firewall, hypervisor, door access control, and security camera management systems. With multi-factor authentication requirements for all these systems, we believe that multi-factor authentication is enabled on all critical systems to protect student information. Evaluation of low-risk systems, such as our classroom audiovisual systems, for feasibility of multi-factor authentication are ongoing and expect to be completed by the end of 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University utilizes multi-factor authentication on all connections to the server where student information system is accessed, as well as administrative and financial applications.” Requirement 3.6 – Data Retention: 16 CFR 314.4(c)(6) Organizational data retention policies, developed by the Finance Department, are currently in effect. These policies were originally written for other means but have some overlap with GLBA regulations. Evaluation of these policies for effectiveness is ongoing and expected to be completed by the end of 2024. Future evaluations for the effectiveness of data retention policies will take place every other year in a joint venture with the Finance and IT Departments. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Evaluation of organizational data retention policies for effectiveness is ongoing and expected to be completed by December 31, 2024. Note from JU IT: Requirement 3.6, data retention policies, will require collaboration between Finance and IT. Finance’s existing policies on data retention need to be enhanced. This just takes time and decisions from the CFO (how long to retain and when to delete – IT will be enforcing the policy technically). Evaluation will be completed by June 30, 2025. Requirement 3.7 – Change Management: 16 CFR 314.4(c)(7) Change management procedures have been discussed and official policies are being developed. Evaluation of security risk and risk of downtime or other degradation of service are being considered in change management procedures. Official policies should be in place in 2025. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. Official policies should be in place by December 31, 2024. Note from JU IT: A change management plan will be completed by March 31, 2025. Requirement 3.8 – User Logging: 16 CFR 314.4(c)(8) User logging is in place for all log-ins to Office 365 log-ins to its services and integrated applications. Microsoft Entra sign-in risk and user-risk policies are in place to enforce stronger security measures during sign-in, force password resets, or deny sign-ins altogether based on risk analysis. Sign-ins to on-premises resources are logged through new software, Log360, implemented in March 2024. Log360 analyses log-ins and sends notifications to IT Department technicians via email for suspicious activity. IT will then process these reports to take appropriate action to resolve the threat unless there is sufficient evidence of a false positive. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Office 365 user logging has been in place; sign-ins to on-premises resources was implemented in March 2024. IT has processes in place for addressing suspicious activity.” Requirement 4 – Security Assessment: 16 CFR 314.4(d)(1) DeapSeas, a cybersecurity vendor, has been chosen to conduct security assessments. A security assessment is planned for early 2025. Ongoing, internal security assessments are planned on an annual basis to be conducted by the IT Department. These assessments will assist in evaluating the effectiveness of existing controls and the ongoing development of the security program. Software has also been purchased and implemented for continuous monitoring of vulnerabilities within organizational software. The software, Vulnerability Manager, provides notice of known vulnerabilities and available patches for software installed on devices within our organization. These notifications are distributed through the software and through email. Automated and semi-automated patches are available through the software to be deployed to organizational devices over the internet. Patching known vulnerabilities within our software portfolio is a priority for us. This system should reduce overall risk and patch effectiveness will be verified with penetration testing. Our first annual penetration test is planned for early 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 5 – Security Training: 16 CFR 314.4(e) Security training has been made mandatory for all employees beginning in Fall 2024. Security training is done through our online video training platform, KnowBe4. This system allows for video, quizzes, and other learning material to be presented to the employees. KnowBe4 develops this content and ensures accuracy and appropriateness. Johnson University IT Department selects available materials and assigns them to employees. Security training was last updated after the initial risk assessment and will be reviewed every 6 months. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 6 – Service Providers: 16 CFR 314.4(f) Collection of SOC2 security reports from vendors that have access to systems with student information is in progress. The collection and analysis of these reports is expected to be completed by the end of 2024. Review of these reports is planned to be conducted annually, with requests for updated security reports every 3 years. \ Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 7 – Security Control Monitoring: 16 CFR 314.4(g) Security controls are being monitored using Log360 wherever possible. Continuous evaluation of these controls is underway and adjustments will be made to security controls as needed. New change management policies and penetration testing will influence the way we evaluate these controls and will likely include changes to monitoring systems and evaluation methods. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Anticipated Completion Date: Fall 2026 Name and Title of Responsible Person: Luke Edwards, Director of IT.

Finding Reference Number: 2024-002 Initial Fiscal Year: 2024 Summary of Finding: 2024-002 Significant Deficiency: Return to Title IV Funds (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; Federal Pell Grant Program, ALN #84.063) In accordance with 34 CFR 668.22(f), in the calculation of the percentage of payment period and/or period of enrollment completed, the total number of calendar days in a payment and/or enrollment period includes all days within the period, except that institutionally scheduled breaks of at least 5 consecutive calendar days and days in which the student was on an approved leave of absence are excluded from the total number of calendar days in a payment period and/or period of enrollment. During the audit, it was noted that the University used the incorrect number of completed days in the payment period or period of enrollment in calculating the percentage of the Title IV aid earned. The audit included a detailed testing of 5 withdrawal student files, of which this significant deficiency applies to 1, indicating an error rate of 20.0%. This finding is monetary in nature. In the instances noted in testing, the total error identified is $1,992 in over-award. Extrapolation of this monetary error was not necessary as the 5 withdrawal students tested as part of the 2024 audit constitute the entire withdrawal population for the period under audit. The University should ensure that the number of completed days in the payment period or period of enrollment are counted correctly utilizing the guidance provided by the Compliance Supplement and the Student Financial Aid Handbook. Entity’s Corrective Action Plan: Corrective Action Plan Summary: The University has determined that this matter constitutes a unique training situation involving the application of procedures related to the Return of Title IV funds. In particular, the University recognizes the need for enhanced training concerning the accurate counting of days when a student withdraws, provides written notification of their intent to attend a future module within the same term, and subsequently withdraws from that second module. The error in question arose from the miscalculation of days, where the University inadvertently counted all days in the initial module rather than counting only the days leading up to the student's initial withdrawal prior to the final withdrawal from the second module. This oversight was attributed to an individual employee, and the University has proactively implemented comprehensive training and procedural safeguards to prevent similar occurrences in the future. Anticipated Completion Date: August 01, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid.

Name of Contact Person: Melanie Imholte Finance Director mimholte@soldotna.org 907-714-1224 Finding 2024-001 Reporting – Significant Deficiency in Internal Control Over Compliance Corrective Action The City of Soldotna will revise policies and procedures to ensure review and approval of grant reports being submitted. Expected Completion Date: Fiscal Year 2025