Corrective Action Plans

Finding Reference Number: 2024-003 Initial Fiscal Year: 2024 Summary of Finding: 2024-003 Significant Deficiency: Direct Loan Limits (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) In accordance with the Federal Student Aid Handbook, Volume 3, Chapter 3, you must determine an undergraduate student’s Pell Grant eligibility before originating a Direct Subsidized or Unsubsidized Loan for that student, and you must package Campus-Based funds and Direct Subsidized Loans before Direct Unsubsidized Loans. In addition, you must determine an undergraduate student’s maximum Direct Subsidized Loan eligibility before originating a Direct Unsubsidized Loan for the student. The student’s maximum annual loan limit increases as the student progresses to higher grade levels. During the audit, it was noted that the University did not fulfill maximum award of students’ Direct Subsidized Loan eligibility prior to awarding Unsubsidized Direct Loans for 3 of the 32 applicable students tested, which is a 9.4% error rate. This finding is monetary in nature. In the instances noted in testing, the total error is $5,983 in under-award. Extrapolation of this monetary error estimates a total potential error of $54,614. The University should institute processes and controls to ensure that the student eligibility is assessed properly based upon grade level progression and that maximum Subsidized Direct Loans are awarded prior to Unsubsidized Direct Loans, as this practice is more beneficial for the student. Entity’s Corrective Action Plan: Corrective Action Plan Summary: The University has determined that this finding was caused by a deficiency in the software’s calculation of the subsidized award. Specifically, the software failed to update the student’s records following changes in circumstances that impacted the calculation of financial need. In response, the University has conducted a thorough evaluation and implemented new software designed to address this issue and ensure accurate calculations in future cases. Anticipated Completion Date: November 1, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid.

Finding Reference Number: 2024-001 Initial Fiscal Year: 2023 Summary of Finding: Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-001) In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4 During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. An updated policy was put into place in July 2024, which addressed several of the deficiencies noted in the existing policy, but not all. The University should continue to update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively and timely. Entity’s Corrective Action Plan: The Johnson University IT Department has consistently worked to improve compliance with GLBA regulations since July 2023. The leadership of Johnson University has taken a proactive and measured approach to GLBA compliance that ensures a balance between reaching compliance quickly and reaching compliance with long-term strategic planning. This has led to a GLBA implementation that will take 2 or more years but will set up the university for long-term excellence in compliance and security. The University understands the importance of GLBA requirements and is committed to ensuring student data is protected from all foreseeable threats. It will continue to iterate on its GLBA corrective action plan to ensure proper compliance for long-term security. The Johnson University IT Department has developed a plan to address deficiencies in GLBA compliance in each of the following areas: Requirement 1 - Qualified Individual: 16 CFR 314.4(a) Johnson University has designated Tim Fisher as our Qualified Individual. Tim Fisher is an employee of Johnson University, serving in the IT Systems Analyst role, and will work alongside Johnson University’s IT Director to oversee the information security program and its implementation. While Tim has over 15 years of on-the-job cybersecurity experience, additional training resources have already been provided to Tim Fisher to pursue the CompTIA Security+ certification. Tim Fisher expects to complete the training and gain the certification by the end of 2025. This was deemed sufficient for GLBA compliance in the audit report provided by Blackburn, Childers & Steagall, PLC dated November 6, 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 2 - Risk Assessment: 16 CFR 314.4(b) Johnson University partnered with HORNE, a cybersecurity company, to conduct a risk assessment in November 2023. The assessment covered several topics and recorded inherent risk levels, existing mitigating controls, and the residual risk levels of each topic covered. Residual risk levels, the level of risk existing despite the existing controls, were found to be considered high in termination procedures and review of security logs. GLBA policy development and implementation decisions were based heavily on this initial risk assessment. A more comprehensive cybersecurity company with experience serving customers in Higher Education, DeapSeas, has been selected for ongoing cybersecurity assistance and will be conducting future risk assessments. Additional risk assessments are planned to be performed every 2 years to reexamine reasonably foreseeable risks and to account for changes in cybersecurity controls. The next risk assessment shall be completed by the end of 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 3.1 - Access Controls: 16 CFR 314.4(c)(1) Johnson University policy ensures that employee supervisors dictate appropriate access for each employee to the IT Department when they are hired or change positions. Supervisors are responsible for ensuring employees have appropriate access to locations where sensitive information is stored, such as file servers and Jenzabar (Student Information System) software access. The IT Department processes permission changes and does not provide permissions without explicit request from the employee supervisor. Auditing existing permissions is a weak spot that has, in the past, taken hours of manual work. We have purchased software, AD Manager, to assist with access reviews. We expect this software to be ready to audit necessary permission groups by the end of 2024. This should significantly reduce the time it takes to audit permissions through additional reporting and easy remediation features. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, instituting a continuous monitoring process undertaken at periodic intervals. The University has contracted with a new software to assist with this, which is expected to be live by December 31, 2024. Note from JU IT: Requirement 3.1, access control reviews, is complicated as each department supervisor is responsible for setting access permissions. The IT Department will need to engage department supervisors for review and approval. Due to the transition in the I.T. Director position, the expectation to be live should be adjusted to March 31, 2025. Requirement 3.2 – Data Identification: 16 CFR 314.4(c)(2) Informal identification has been completed by the IT Department through generalized asset inventory procedures. DeapSeas, our selected cybersecurity vendor, has been contracted to conduct a more formal data identification procedure in early 2025. This will identify critical items and analyze risks and responsibilities associated with each party. This procedure will take place through scanning the corporate network and interviewing departments on their data storage procedures. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Resolution to this matter is expected to be addressed and incorporated into the policy by December 31, 2024.” Note from JU IT: For requirement 3.2, data inventory, we’re already under contract with DeapSeas to do this. It will be completed by March 31, 2025. Requirement 3.3 – Encryption: 16 CFR 314.4(c)(3) Johnson University has had encryption in transit for several years but has not had encryption at rest. Johnson University purchased licenses to enable encryption at rest in October 2023 and finished a project to encrypt most virtual machines containing sensitive data using AES-256 and XTS-AES-256 encryption on April 29, 2024. The remaining virtual machines are planned to be encrypted before the end of 2024. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement.” Requirement 3.4 – Secure Development: 16 CFR 314.4(c)(4) Johnson University does not develop in-house applications for transmitting, accessing, or storing customer information. A combination of the risk assessment, vendor analysis, and penetration testing will assess the security of externally developed applications. The risk assessment has already been completed, but further vendor analysis and penetration testing are planned to be completed by the end of June 2025. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University does not develop in-house applications for transmitting, accessing, or storing customer information.” Requirement 3.5 – Multi-factor Authentication: 16 CFR 314.4(c)(5) Johnson University has enabled multi-factor authentication on all connections to the server where our student information system (Jenzabar One) is accessed. Multi-factor authentication is also enabled for all logins to Office 365 and integrated applications, such as Zoom videoconferencing, our student/employee portal, Jenzabar Financial Aid (financial aid management system), and Jenzabar Recruitment (admissions software). Multi-factor authentication is also enabled on connections to our administrative systems, such as our network firewall, hypervisor, door access control, and security camera management systems. With multi-factor authentication requirements for all these systems, we believe that multi-factor authentication is enabled on all critical systems to protect student information. Evaluation of low-risk systems, such as our classroom audiovisual systems, for feasibility of multi-factor authentication are ongoing and expect to be completed by the end of 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University utilizes multi-factor authentication on all connections to the server where student information system is accessed, as well as administrative and financial applications.” Requirement 3.6 – Data Retention: 16 CFR 314.4(c)(6) Organizational data retention policies, developed by the Finance Department, are currently in effect. These policies were originally written for other means but have some overlap with GLBA regulations. Evaluation of these policies for effectiveness is ongoing and expected to be completed by the end of 2024. Future evaluations for the effectiveness of data retention policies will take place every other year in a joint venture with the Finance and IT Departments. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Evaluation of organizational data retention policies for effectiveness is ongoing and expected to be completed by December 31, 2024. Note from JU IT: Requirement 3.6, data retention policies, will require collaboration between Finance and IT. Finance’s existing policies on data retention need to be enhanced. This just takes time and decisions from the CFO (how long to retain and when to delete – IT will be enforcing the policy technically). Evaluation will be completed by June 30, 2025. Requirement 3.7 – Change Management: 16 CFR 314.4(c)(7) Change management procedures have been discussed and official policies are being developed. Evaluation of security risk and risk of downtime or other degradation of service are being considered in change management procedures. Official policies should be in place in 2025. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. Official policies should be in place by December 31, 2024. Note from JU IT: A change management plan will be completed by March 31, 2025. Requirement 3.8 – User Logging: 16 CFR 314.4(c)(8) User logging is in place for all log-ins to Office 365 log-ins to its services and integrated applications. Microsoft Entra sign-in risk and user-risk policies are in place to enforce stronger security measures during sign-in, force password resets, or deny sign-ins altogether based on risk analysis. Sign-ins to on-premises resources are logged through new software, Log360, implemented in March 2024. Log360 analyses log-ins and sends notifications to IT Department technicians via email for suspicious activity. IT will then process these reports to take appropriate action to resolve the threat unless there is sufficient evidence of a false positive. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Office 365 user logging has been in place; sign-ins to on-premises resources was implemented in March 2024. IT has processes in place for addressing suspicious activity.” Requirement 4 – Security Assessment: 16 CFR 314.4(d)(1) DeapSeas, a cybersecurity vendor, has been chosen to conduct security assessments. A security assessment is planned for early 2025. Ongoing, internal security assessments are planned on an annual basis to be conducted by the IT Department. These assessments will assist in evaluating the effectiveness of existing controls and the ongoing development of the security program. Software has also been purchased and implemented for continuous monitoring of vulnerabilities within organizational software. The software, Vulnerability Manager, provides notice of known vulnerabilities and available patches for software installed on devices within our organization. These notifications are distributed through the software and through email. Automated and semi-automated patches are available through the software to be deployed to organizational devices over the internet. Patching known vulnerabilities within our software portfolio is a priority for us. This system should reduce overall risk and patch effectiveness will be verified with penetration testing. Our first annual penetration test is planned for early 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 5 – Security Training: 16 CFR 314.4(e) Security training has been made mandatory for all employees beginning in Fall 2024. Security training is done through our online video training platform, KnowBe4. This system allows for video, quizzes, and other learning material to be presented to the employees. KnowBe4 develops this content and ensures accuracy and appropriateness. Johnson University IT Department selects available materials and assigns them to employees. Security training was last updated after the initial risk assessment and will be reviewed every 6 months. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 6 – Service Providers: 16 CFR 314.4(f) Collection of SOC2 security reports from vendors that have access to systems with student information is in progress. The collection and analysis of these reports is expected to be completed by the end of 2024. Review of these reports is planned to be conducted annually, with requests for updated security reports every 3 years. \ Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 7 – Security Control Monitoring: 16 CFR 314.4(g) Security controls are being monitored using Log360 wherever possible. Continuous evaluation of these controls is underway and adjustments will be made to security controls as needed. New change management policies and penetration testing will influence the way we evaluate these controls and will likely include changes to monitoring systems and evaluation methods. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Anticipated Completion Date: Fall 2026 Name and Title of Responsible Person: Luke Edwards, Director of IT.

Finding Reference Number: 2024-002 Initial Fiscal Year: 2024 Summary of Finding: 2024-002 Significant Deficiency: Return to Title IV Funds (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; Federal Pell Grant Program, ALN #84.063) In accordance with 34 CFR 668.22(f), in the calculation of the percentage of payment period and/or period of enrollment completed, the total number of calendar days in a payment and/or enrollment period includes all days within the period, except that institutionally scheduled breaks of at least 5 consecutive calendar days and days in which the student was on an approved leave of absence are excluded from the total number of calendar days in a payment period and/or period of enrollment. During the audit, it was noted that the University used the incorrect number of completed days in the payment period or period of enrollment in calculating the percentage of the Title IV aid earned. The audit included a detailed testing of 5 withdrawal student files, of which this significant deficiency applies to 1, indicating an error rate of 20.0%. This finding is monetary in nature. In the instances noted in testing, the total error identified is $1,992 in over-award. Extrapolation of this monetary error was not necessary as the 5 withdrawal students tested as part of the 2024 audit constitute the entire withdrawal population for the period under audit. The University should ensure that the number of completed days in the payment period or period of enrollment are counted correctly utilizing the guidance provided by the Compliance Supplement and the Student Financial Aid Handbook. Entity’s Corrective Action Plan: Corrective Action Plan Summary: The University has determined that this matter constitutes a unique training situation involving the application of procedures related to the Return of Title IV funds. In particular, the University recognizes the need for enhanced training concerning the accurate counting of days when a student withdraws, provides written notification of their intent to attend a future module within the same term, and subsequently withdraws from that second module. The error in question arose from the miscalculation of days, where the University inadvertently counted all days in the initial module rather than counting only the days leading up to the student's initial withdrawal prior to the final withdrawal from the second module. This oversight was attributed to an individual employee, and the University has proactively implemented comprehensive training and procedural safeguards to prevent similar occurrences in the future. Anticipated Completion Date: August 01, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid.

Name of Contact Person: Melanie Imholte Finance Director mimholte@soldotna.org 907-714-1224 Finding 2024-001 Reporting – Significant Deficiency in Internal Control Over Compliance Corrective Action The City of Soldotna will revise policies and procedures to ensure review and approval of grant reports being submitted. Expected Completion Date: Fiscal Year 2025

oronavirus State and Local Fiscal Recovery Funds – Assistance Listing No. 21.027 Recommendation: We recommend that the Organization implement controls to ensure that suspension and debarment verification is performed before entering into a covered transaction with a vendor. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: -New Vendor Form has been updated and includes the steps to verify each new vendor has been reviewed for disbarment and suspension prior to hiring the contractor. -All new contracts include a review of the purchasing department as part of the process before signing the contract. -Updated review of vendors used for federal funds will be done as new projects begin again as part of the update performed by the purchasing department. -Bidding process will also include a review of vendors and will start for any new bids going out after 1/1/2025. Name of the contact person responsible for corrective action: Angela Westwood, CFO Planned completion date for corrective action plan: Immediate with full review and changes to policies 11/30/2025 If the U.S. Department of the Treasury has questions regarding this schedule, please call Angela Westwood at (203) 562-2264.

Finding 2024-001 Condition: Supporting documentation was missing for 6 out of 98 disbursements selected for allowable costs testing during the audit. Without itemized receipts we were unable to determine if the purchases were allowable. However, the projection of the error was less than the $25,000 reportable limit of questioned costs. Cause: The Organization’s controls did not provide for supporting documentation to be adequately retained. Recommendation: We recommend that internal control procedures on recordkeeping and filing should be clearly stated as part of the Organization policy. Management Response: We concur with the finding. Corrective Action: 1. The Finance Committee will review and update the Organization's Policy to more clearly state expectations regarding control procedures on recordkeeping and filing. 2. Administrative staffer is being hired and will be responsible for streamlining supply ordering, setting up store accounts where possible to limit the need for in-store purchases, as well as the collection and filing of receipts. 3. Staff with credit cards will be retained regarding receipt retention procedures. Name of Responsible Person: Beth VanDerbeck

Enrollment Reporting Recommendation: We recommend the College strengthen its review and reporting procedures for enrollment status changes to ensure timely and accurate updates to NSLDS. View of Responsible Officials and Planned Corrective Actions: The College acknowledges the errors in the reporting and is updating its procedures to ensure prompt communication of status changes. Staff will receive training to correctly handle student enrollment updates, and the institution will implement additional checks to avoid future errors.

Disbursements to or on Behalf of Students Recommendation: We recommend the College review its refund procedures and implement controls to ensure refunds are disbursed within the required time frame. View of Responsible Officials and Planned Corrective Actions: The College will review its internal processes for handling refunds and ensure that future refunds are processed within the 14-day window. Training will be provided to the responsible staff to improve compliance with regulations.

Response – The Organization is committed enhancing its financial reporting process, particularly during the end of the year conversion from cash-based to accrual accounting, to ensure revenues and expenses are properly aligned with the correct fiscal years. In fiscal year 2024, two independent accounting firms supported the year-end financial reporting, and the Organization will continue collaborating with them or other qualified professionals to maintain accurate and comprehensive financial statements. Responsible party for corrective action – Dekow Sagar, Executive Director

Response – The accounting firm will refrain from entering expenses into the QuickBooks reconciliation unless supported by signed invoices. The Executive Director (ED) and Finance Manager will sign all recurrent payment invoices, regardless of the amount, prior to payment. Additionally, the Finance Manager, ED, and the accounting firm will cross-check transactions for accuracy. While we respect the auditor's recommendation, we consider it minor, as all purchases were accompanied by supporting documentation. The auditors requested additional invoice approval for all recurrent payments, such as subcontractor payments to Lincoln Literacy, despite the existence of binding agreements or MOUs governing those transactions. Responsible party for corrective action – Dekow Sagar, Executive Director

Contact person responsible for correction action – Michell Hall, CFO Anticipated completion date – June 30, 2024 Corrective action Sterling College agrees with the auditors finding regarding special reporting. We do not anticipate any issues with future reporting as we now understand the process for the reporting.

Contact person responsible for correction action – Mitzi Suhler, Financial Aid Director Anticipated completion date – June 30, 2024 Corrective action Sterling College agrees with the finding of the under award of the Federal Supplemental Education Opportunity funds. This was an oversight of the $100 threshold for awarding this fund. The financial aid office will review the awarding of this fund each year to ensure thresholds and awarding criteria are understood and followed.

In order to prevent students from being missed in enrollment reporting, the College has enhanced its process to include a check and balance of the 100% refund report provided by the Registrar's Office on the first day of school against the 75% and 40% refund reports; this review will ensure that all exited students are reported as exited in the approporiate timeframe. The Exit list report has historically had a column where the Registrar records the date when the student information is submitted to NSC (National Student Clearinghouse). We have now added a new field to the Exit list report that Financial Aid will be responsible for entering the date at which confirmation is made that the data is correct in NSLDS. The FA Office will be responsible for checking the NSC and NSLDS to ensure all withdrawn students are reported accurately. Following the 40% refund period, the College's Student Success Committee will review a list of students at risk of exiting, and will confirm that any exits after the 40% refund period have been accurately recorded.

12/16/2024 United States Department of Health and Human Services Betty Jean Kerr – People’s Health Centers respectfully submits the following corrective action plan for the year ended May 31, 2024. CohnReznick LLP 350 Church Street Hartford, CT 06103 Audit Period: May 31, 2024 The findings from the May 31, 2024 schedule of findings and questioned costs are discussed below. The findings are numbered consistently with the numbers assigned in the schedule. FEDERAL AWARDS FINDINGS AND QUESTIONED COSTS Section III‐ Federal Award Findings and Questioned Costs Community Health Centers, Affordable Care Act (ACA) Grants for New and Expanded Services Under the Health Center Program, COVID-19 Affordable Care Act (ACA) Grants for New and Expanded Services Under the Health Center Program Federal Assistance Listing Numbers: 93.224 and 93.527 Item 2024‐001 – Special Tests Recommendation The Center should establish a system of internal controls to ensure that all slide fee discounts are properly calculated based on family size and income. Repeat Finding Yes Action Taken 1. Upon notification of findings, new reporting structures and training were developed for the FOA staff. Direct governance was moved from finance to operations, and the scheduling supervisor was promoted to a newly created role entitled the Director of Patient Access. This role is directly responsible for training and the scheduling of FOA staff as well as data integrity of registration information. 2. Once developed, we provided targeted training sessions for all staff involved with the calculation of sliding fees on the policies and procedures to ensure:  The sliding fee guidelines document is known.  Understanding of the methodology for calculating fees, including how family size and income are considered.  Documentation required to support income and family size information provided by clients. This may include tax returns, pay stubs, or other relevant documents.  To use the standardized form (checklist) to ensure all necessary information is collected and verified. 3. We also have implemented a monthly audit process that randomly selects a sample of sliding fee patients. Selected patients’ files are reviewed to identify any potential discrepancies. If discrepancies are noted, prior to remediation, errors are documented so that thematic analysis can be conducted, and root causes can be identified. To ensure traction of the initiative, audit findings are presented monthly to the quality assurance and performance improvement committee. 4. We make every effort we can to effectively communicate the sliding fee scale to clients. In addition to face-to-face communication, it is presented openly in several locations throughout the agency and is also available on our website. We are aware that ensuring the continued compliance of the SFS scale determinations, as well as the financial accuracy of our books requires consistent and continuous commitment to quality and improvement. We are confident that the changes made to our internal controls will significantly strengthen our processes. We believe these measures will mitigate the risk of errors and inaccuracies in the future, providing greater assurance over the reliability of our financial reporting. If the Cognizant or Oversight Agency for Audit has questions regarding this plan, please call: Javier Vallejo, CFO at 314-482-0915. Sincerely yours, Javier Vallejo Chief Financial Officer

Student Financial Aid Cluster – Assistance Listing No. 84.063 & 84.268 Recommendation: We recommend that the College rebuilds the ‘Primary Program GT eForm’ to include a check that verifies all programs are not designated as Secondary. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Records staff now individually review each form submission to ensure a Primary program is appropriately assigned. In addition, a fix is being implemented to the District’s NSC file submission to verify students who have Primary and Secondary programs appear accurately. A cross-functional team has been established to create an audit report to scale NSC file submissions, as well. Name(s) of the contact person(s) responsible for corrective action: Laurie Grigg, Chief Financial Officer Planned completion date for corrective action plan: June 30, 2025

Student Financial Aid Cluster – Assistance Listing No. 84.063, 84.268, 84.007, 84.033 Recommendation: We recommend that the College verifies all withdrawal dates surrounding scheduled breaks. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The withdrawal date and student payment has been updated to reflect the appropriate calculation. Name(s) of the contact person(s) responsible for corrective action: Laurie Grigg, Chief Financial Officer Planned completion date for corrective action plan: June 30, 2025

Finding: 2024-001 Finanical Reporting Requirements - Significant Deficiency Corrective Action Plan: The FAA Forms 5100-126 and 5100-127 have been added to the Board's reporting due date calendar to ensure completion, review and submission occur before the October 31st annual deadline. Completion: December 20, 2024 Responsible Party: Tamie Wick, Accounting Manager

Views of responsible officials and planned corrective action: The Authority has an interlocal agreement with a neighboring housing authority for administration of the Section 8 Housing Choice Vouchers Program. The authority understands the reason for the finding, in that the unit did not pass reinspection within the required period without penalty. Previously a quality control sample of Section 8 Housing Choice Voucher files administered by the neighboring Housing Authority had been reviewed each month. This was with respect to the income calculation, specifically. The Authority will add a verification of inspection requirements to this process, however, effective 12/31/2024 the Authority has terminated the administration contract with the neighboring housing authority. The Authority has hired staff to focus on the Section 8 Housing Choice Vouchers Program and compliance with program requirements. Heather Blough, Executive Director, will be responsible to implement this corrective action by June 30, 2025.

JEVS HUMAN SERVICES AND AFFILIATES CORRECTIVE ACTION PLAN YEAR ENDED JUNE 30, 2024 FINDINGS – FEDERAL AWARD PROGRAM AUDITS (CONTINUED) U.S. Department of Education 2024-002 Significant Deficiency in Internal Control over Compliance Student Financial Aid Cluster: 84.007 - Federal Supplemental Educational Opportunity Grants 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans Condition: During the audit, we noted JEVS Human Service has gaps within their Written Information Security Program and policies when compared to the Safeguards Rule. Recommendation: We recommend management continue to evaluate its written information security plan and establish the required documentation in accordance with GLBA safeguard rules. Explanation of Disagreement with Audit Finding There is no disagreement with the audit finding. Action taken in response to finding: Management will evaluate its written information security plan and establish the required documentation in accordance with GLBA safeguard rules. Planned completion date for corrective action plan: March 31, 2025

JEVS HUMAN SERVICES AND AFFILIATES CORRECTIVE ACTION PLAN YEAR ENDED JUNE 30, 2024 FINDINGS – FEDERAL AWARD PROGRAM AUDITS U.S. Department of Education 2024-001 Significant Deficiency in Internal Control over Compliance Student Financial Aid Cluster: 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans Condition: Certain students’ enrollment information was not reported accurately or timely to the National Student Loan Data System (NSLDS). Recommendation: We recommend the College to review its procedures for transmitting accurate information to the NSLDS. Furthermore, we suggest that the College establish a process to enhance oversight of the submissions completed by the third-party servicer. Explanation of Disagreement with Audit Finding There is no disagreement with the audit finding. Action taken in response to finding: The College has reviewed and updated policies and procedures on reporting enrollment. A new procedure had been added to the process, requiring a designated employee to check and review on a weekly basis the Student Status Confirmation Report (SSCR) on the National Student Clearinghouse (NSC) SSCR Error Correction Platform. The designated employee will document the review and resolution of items identified on the error report. This ensures that any errors are resolved within ten days of receipt, as required by the Department of Education for all schools receiving and distributing Title IV Aid. Planned completion date for corrective action plan: December 31, 2024

Thomas College has refined internal reporting policies and procedures to confirm that student enrollment is reported accurately and in a timely manner. The College uses the National Student Clearinghouse as a data vendor for reporting to NSLDS. The College agrees the students were incorrectly report to NSLDS. However, the student records were regularly updated with the National Student Clearinghouse, according to policies and procedures, NSC was not then transmitting some student records to NSLDS due to a conflict in data reported by a prior instituition concerning name and mismatched SSN. The College has identified the error within the National Student Clearinghouse (NSC). The following findings and corrective actions have been adopted: 1) Additional one on one training with the NSC has been completed to better understand the cause of the finding. The error that is preventing the release of information to NSLDS has been identified and steps required to resolve the error have been communicated. This training will expand to all Thomas College employees who oversee and process enrollment reporting. 2) Thomas College is closely monitoring the processing details from each submission file sent from the college to NSC to identify students not being sent from NSC to NSLDS. Thomas College is submitting the necessary, required paperwork for verification to the NSC, as needed; to verify the student's identify and information, an example of this documentation is an ISIR recorded provided by SFS. The NSC send an automated email to enrollment reporting staff when changes are made and a follow up email requesting additional information if needed. Once resolved, student are no longer shown on the transmission rejection list and are being sent to NSLDS.

U.S. Department of Education Fowler Elementary School District No. 45 respectfully submits the following corrective action plan for the year ended June 30, 2024. Audit period: July 1, 2023 – June 30, 2024 The findings from the schedule of findings and questioned costs are discussed below. The findings are numbered consistently with the numbers assigned in the schedule. FINDINGS— FEDERAL AWARD FINDINGS AND QUESTIONED COSTS 2024-001 Davis-Bacon Act Compliance CFDA Number: 84.425 Program Title: Education Stabilization Fund Federal Agency: U.S. Department of Education Passthrough Number: 21FESSII-111273-01A & 21FESIII-111273-01A Compliance Requirement: N. Special Tests and Provisions Award Period: July 1, 2023 – June 30, 2024 Finding Type: Noncompliance, Significant Deficiency Questioned Costs: N/A Repeat Finding: No. Condition/Context: The District did not retain documentation sufficient to determine the Davis-Bacon compliance clause was included in advertised specifications for two construction projects paid with federal Education Stabilization Fund. Also, for the same two contracts sampled weekly certified payrolls were not collected and maintained for any relevant weeks during the fiscal year. Corrective Action: To meet compliance, the District has included the Grants Director as part of the approval process of all federal grant spending to help identify when Davis Bacon compliance requirements are triggered. When this occurs, the Finance Director and the Facilities Director are brought in to follow up with the vendors to ensure Davis-Bacon Act compliance requirements are adhered to within contracts for the subsequent year as well as obtaining any certified payrolls, as necessary. Planned completion date for corrective action plan: For the period ending June 30, 2025. Name of the contact person responsible for corrective action: Catherine King, Finance Director

SIGNIFICANT DEFICIENCY IN INTERNAL CONTROL OVER COMPLIANCE – U.S. DEPARTMENT OF EDUCATION, PASSED THROUGH MINNESOTA DEPARTMENT OF EDUCATION, SPECIAL EDUCATION CLUSTER – FEDERAL ALN 84.027 AND 84.173 2024-001 Internal Control Over Compliance with Federal Suspension and Debarment Requirements Finding Summary 2 CFR § 180 and CFR § 200 requires Rum River Special Education Cooperative (the Cooperative) to establish and maintain effective internal control over compliance with requirements applicable to federal program expenditures, including suspension and debarment requirements. The Cooperative did not have sufficient controls in place within its special education cluster federal programs to assure that it was not contracting for goods or services with parties that are suspended or debarred, or whose principals are suspended or debarred from participating in contracts involving the expenditures of federal program funds. Corrective Action Plan Actions Planned – The Cooperative has reviewed policies and procedures relating to suspension and debarment, and will ensure timely verification and documentation is obtained that all parties with which it it contracts for goods or services are eligible to participate in contracts involving the federal program expenditures. Official Responsible – Tracy Wells, Finance and HR Director. Planned Completion Date – June 30, 2025. Disagreement With or Explanation of Finding – The District agrees with this finding. Plan to Monitor – Tracy Wells, Finance and HR Director, will assure appropriate controls are in place relating to suspension and debarment and that they are being performed consistently and in a timely manner to ensure compliance with the Uniform Guidance requirements.

The Food Service Director will continue to review food service claim data, in addition to the claim preparer. Management has instituted a process whereby the Food Service Director will initial food service claim paperwork in order to document her review. The preparer of the claims will then also review the data before processing and submitting the claims. Person Responsible: Chris Petersen, Superintendent Anticipated Completion Date: Ongoing

Correctivee Action Plan For the Year Ended March 31, 2024 Section III - Federal Award Findings and Questioned Costs Finding 2024-001 Name of Contact Person: Thomas R. Green Executive Director Corrective Action: Management will review the recertification process and plan to monitor recertifications. Proposed Completion Date: Immediately