Corrective Action Plans

Responsible Contact Person(s): Barry Davis, Chief Information Security Officer and Director of Information Security & Risk Management John Vosper, Information Technology Audit Manager Corrective Action Planned: DSS has contracted with a contractor to perform IT audits once every three years on an ongoing rotating basis. Estimated Completion Date: 12/31/2023

Responsible Contact Person(s): Mike Jones, Chief Information Officer Corrective Action Planned: The vendor started the security audit in September 2023 and completed in December 2023. The report was sent to DMAS in February 2024. Next steps- The report needs to be reviewed and the Contract Administrator will work with the vendor to ensure Plan of Action and Milestones (POAMs) are completed to address the risks and control gaps. The Contract Administrator will monitor the vendor to ensure the vendor meets to terms of the contract and submits a security audit every two years. Estimated Completion Date: 6/30/2024

Responsible Contact Person(s): David Clark, Information Security Officer Corrective Action Planned: The Information Security Unit has documented a process for the types of changes that trigger a security impact analysis (SIA) as well as a request form for a security impact review. Part of the SIA process will be to determine if pre-implementation testing is required. The Information Security Unit will retain documentation in accordance with the Configuration Management Policy. Once the processes are further defined, the Information Security Unit will update the Configuration Management Policy & Procedures. Estimated Completion Date: 3/31/2024

Responsible Contact Person(s): Kevin Platea, Chief Information Officer Corrective Action Planned: This finding was marked as FOIA Exempt (FOIAE) and as a result, the State Comptroller has determined that the resulting corrective actions are FOIAE under §2.2-3705.2 (9.) of the Code of Virginia. Federal awarding agencies and pass-through entities, please see the Appendix titled “Applicable Management Contacts for Findings and Questioned Costs” to request the corrective action planned from the applicable entity. Estimated Completion Date: 6/30/2024

Responsible Contact Person(s): Barry Davis, Chief Information Security Officer and Director of Information Security & Risk Management Melinda Raines, Director of Human Resources Karen Holt, Human Resources Business Process Consultant Corrective Action Planned: An agency-wide work group will be established to determine the exact processes need to implement the controls necessary to address this finding. HR and ISRM have identified the need for new reporting and interfaces to regain compliance. DSS had deployed DOA human capital management system and an internal system that will need to have interfaces developed. Estimated Completion Date: 6/30/2024

Responsible Contact Person(s): Mike Jones, Chief Information Officer Steve Hanoka, Chief Information Security Officer Corrective Action Planned: The 2023 Annual Access Review for the claims processing system through secure web application surveys began in the 4th Quarter 2023. Three separate surveys were sent to perform access review for DSS, Contractor and DMAS Internal access review. • DSS annual review sent on November 9, 2023 and ended on November 20, 2023 • Contractor review sent on November 30, 2023 and ended on December 15, 2023 • DMAS review sent on December 15, 2023 and ended on January 13, 2024 All 3 surveys requested managers to review their employees access and confirm if it was required or if the access should be revoked. Survey results are available to perform follow up actions. DMAS Security is currently reviewing the survey results and revoking access where requested. Estimated Completion Date: 6/30/2024

Responsible Contact Person(s): Barry Davis, Chief Information Security Officer and Director of Information Security & Risk Management Steve McCauley, Assistant Division Director Corrective Action Planned: DSS will perform an annual access review of user accounts for the case management system. Estimated Completion Date: 12/31/2024

Responsible Contact Person(s): Angela Morse, Director of Benefit Programs Kavansa Gardner, Information Technology Manager Corrective Action Planned: DSS will perform and document a conflicting access review for the case management system to identify the combinations of roles that could pose separation of duties conflicts and ensure compensating controls are in place to mitigate risks arising from those conflicts. Additionally, DSS will work with a vendor to update the role-based security access documentation to reflect all system changes from prior case management system related releases when there are proposed changes to the roles matrix. Estimated Completion Date: 12/31/2024

Responsible Contact Person(s): Diane Carnohan, Chief Information Security Officer Corrective Action Planned: This finding was marked as FOIA Exempt (FOIAE) and as a result, the State Comptroller has determined that the resulting corrective actions are FOIAE under §2.2-3705.2 (9.) of the Code of Virginia. Federal awarding agencies and pass-through entities, please see the Appendix titled “Applicable Management Contacts for Findings and Questioned Costs” to request the corrective action planned from the applicable entity. Estimated Completion Date: 12/31/2024

Responsible Contact Person(s): Kevin Platea, Chief Information Officer Corrective Action Planned: This finding was marked as FOIA Exempt (FOIAE) and as a result, the State Comptroller has determined that the resulting corrective actions are FOIAE under §2.2-3705.2 (9.) of the Code of Virginia. Federal awarding agencies and pass-through entities, please see the Appendix titled “Applicable Management Contacts for Findings and Questioned Costs” to request the corrective action planned from the applicable entity. Estimated Completion Date: 12/31/2024

Responsible Contact Person(s): Barry Davis, Chief Information Security Officer and Director of Information Security & Risk Management Kevin Platea, Chief Information Officer Corrective Action Planned: To improve the governance structure of the agency, ISRM Division Leadership is working with a vendor to address the division’s responsibility around defining and communicating the Security and Risk Management program. The goal is to educate the agency System Owners, Data Owners, System Administrators, System User, and Data Custodians as to their roles and responsibilities in managing risk associated with agency data and systems. The Division of ISRM will deliver System Owner training to the Agency Executive Team in April in support of the Commonwealth’s requirement that System Owner’s manage risks associated with their systems. This training will also highlight the importance of Configuration Management and Software and Service Acquisition. The Division of ISRM will also construct and offer training on Configuration Management and Software and Service Acquisition to whichever resources the Agency identifies to own such related processes. The training will be ready to be provided no later than August 1, 2023. Estimated Completion Date: 12/31/2023

2023-002 Special Tests and Provisions – Income Targeting Program: U.S. Department of HUD: Section 8 Housing Choice Vouchers (CFDA 14.871) Type of Finding: Significant Deficiency in Internal Control and Other Matter to be Reported Under the Uniform Guidance This is a repeat finding of 2022-002 from June 30, 2022 (initially reported June 30, 2021) Statement of Condition The Authority did not have adequate controls over income targeting to assure that the Authority is in compliance with this requirement. During our testing, we noted that tenants with incomes that were extremely low accounted for approximately 70% of new admissions during the fiscal year, which is below the minimum required percentage of 75%. Recommendation We recommend the Authority assure that at least 75% of new admissions be in the extremely low-income bracket. This should be monitored throughout the year. The Authority can also select applicants on the waiting list who are extremely low income by bypassing others on the list that don’t meet the requirement and documenting that the person was selected ahead of others to be able to meet the requirement Action Taken: We concur with this finding. We will closely monitor new admissions and focus on applicants on the waiting list who meet the criteria as extremely low income so that the 75% requirement is met. Our lease rate has been decreasing due to a decrease in availability in our area. We have been issuing vouchers every month and have little to no wait on our waiting list. We are also accepting applications every week. We have been unable to exclude persons due to the extremely low-income bracket requirement because we are trying to increase the overall utilization in our voucher program. We have submitted a request to HUD to allow an exception to the income targeting rule and are currently awaiting a response. Effective Date: February 29, 2024 Contact Information Jenny Hammond, Executive Director Housing Authority of the City of York 221 California Street York, SC 29745 (803) 684-7359

Finding No. 2023-001 Eligibility – Tenant Files Program: U.S. Department of HUD: Section 8 Housing Choice Vouchers (CFDA 14.871) Type of Finding: Significant Deficiency in Internal Control and Other Matter to be Reported Under the Uniform Guidance This is a repeat finding of 2022-001 from June 30, 2022 (initially reported June 30, 2021) Statement of Condition Out of a total tenant population of approximately 194 vouchers, 20 files were selected for testing. Exceptions were noted as follows: • 1 file where a math error on zero-income calculation resulted in an increase in HAP rent from $709 to $712. • 1 file where a math error on zero-income calculation resulted in a decrease in HAP rent from $961 to $912. • 1 file where social security income was calculated using 2022 amounts despite move-in date in February 2023. As a result, HAP rent decreased from $561 to $546. • 1 file where social security income was calculated using 2022 amounts despite annual re-exam in February 2023. As a result, HAP rent decreased from $709 to $687. In addition to the above, during our new admissions testing (5 tested out of 44 new admissions) we noted the following: • 1 file that did not contain a signed lease agreement. Recommendation The Authority should correct the deficiencies noted in the tested files and utilize an ongoing quality control review process on the entire tenant population to ensure proper compliance with the requirements related to tenant eligibility. Ongoing staff training and timely management reviews should be utilized to ensure staff is aware of acceptable procedures. In addition, the Authority should review staffing levels, skill sets and case load. Action Taken We concur with this finding and have implemented various controls. A tenant file and unit quality control procedure has been developed and implemented.

Condition: The College did not have a control in place to ensure all returns of Title IV refunds were reviewed. As a result, certain student Title IV refund calculations were not correctly calculated and returned.. Planned Corrective Action: • GRCC updated its R2T4 procedure document to highlight the steps needed to be taken so that bookstore charges are handled correctly in the R2T4 calculation. • GRCC provided updated training to the current employees who handle the R2T4 process. • GRCC reviewed all of the R2T4s in which students had bookstore charges. The results were as follows: oTotal number of students: -Fall -- 103 students reviewed; 61 corrections made -Winter -- 83 students reviewed; 5 corrections made o Total amount of adjustments: -Fall = $13,372 -Winter = $1,362 • GRCC reviewed all unofficial withdrawals during fiscal year 2023 adn matched them with R2T4's where required. Once correction was made for $558. This is the same error noted in teh finding. • During the 2023-2024 year (fiscal year 2024), GRCC is performing a 100% review of the R2T4s that have bookstore charges. While performing the review of the bookstore charges, we are reviewing the entire R2T4, not only whether bookstore charges are correctly included. By doing so, we can ensure that the entire process is performed accurately. • Additionally, GRCC will be conducting R2T4 training each semester by way of ensuring that staff who perform the calculations understand the process and the specific steps needed to complete the calculations. Contact person responsible for corrective action: David DeBoer, Executive Director of Financial Aid Anticipated Completion Date: 12/02/2023

2023-002 Coronavirus State and Local Fiscal Recovery Funds – Assistance Listing No. 21.027 Recommendation: We recommend that the Organization review and follow the indirect cost rate guidance set out at 2 CFR section 200.414 within Uniform Guidance. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Management is in the process of updating it’s calculation of indirect costs to be in compliance with the indirect cost rate guidance set out at 2 CFR section 200.414 within Uniform Guidance. Name of the contact person responsible for corrective action: Shannon Marimón Planned completion date for corrective action plan: February 29, 2024

2023-001 Coronavirus State and Local Fiscal Recovery Funds – Assistance Listing No. 21.027 Recommendation: We recommend that the Organization review its procurement and make necessary changes to comply with the criteria as set out in 2 CFR sections 200.318 through 200.326. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Management is in the process of enhancing the federal procurement policy to include sections 200.318 through 200.326. Name of the contact person responsible for corrective action: Shannon Marimón Planned completion date for corrective action plan: February 29, 2024

Finding 2023-001- Enrollment Reporting Recommendation: It is recommended that the University review policies and procedures in place to resolve reporting issues in a timely manner to facilitate compliance with Title IV regulations. Action Taken: Each error was corrected within the system. Going forward, the reports submitted to NSLDS will be closely reviewed to ensure effective dates for student changes are appropriately reported. In addition, the registrar has updated their process notes which are used each time they pull the report. Responsible Individual for Corrective Action: Registrar - Joanna Raudenbush Anticipated Completion Date: December 31, 2023

2023-001: Student Financial Aid Cluster - Return to Title V Recommendation: We recommend that the Colleges improve the existing procedures and controls to ensure compliance with the aforementioned criteria. We also recommend an additional level of review is added in the process to ensure completed Return to Title IV calculations are properly completed. Action taken in response to finding: The Financial Aid office is implementing the following steps to ensure all Return to Title IV calculations are properly completed: To improve our process, a Return of Funds Calculation report is in place to assist with monitoring the return of unearned aid the Department of Education within 45 days of determination. An additional staff member has been assigned to the Return of Title IV program. We now have two staff members processing Return to Title IV calculations and each will be required to complete R2T4 training on an annual basis. The first staff member is assigned with the review of Return to Title IV calculations, while the second will conduct a secondary review for any miscalculation or data entry error. Thus, each Return to Title IV calculation will be checked by two staff members for accuracy. We will have an additional staff member help with the return of funds to COD to meet the 45-day rule; this will be on the accounting side. Our final step includes management review of Return to Title IV calculations. These added redundancy review will confirm Return to Title IV calculations are accurate. Our Return to Title IV procedures have been updated to reflect these changes. Name of the contact person responsible for corrective action: Chau Dao, Director of Financial Aid & Basic Needs Planned completion date for corrective action plan: June 2024

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: (Corban will proceed with the documentation of information security program policies and practices. Additionally, with the expansion of Corban’s partnership with third party partners, it will more than adequately address all matters of Gramm-Leach-Bliley Act (GLBA) Compliance, especially training, and reduce the potential for unintended exposure of information. Person Responsible for Corrective Action Plan: Tom Cornman, Senior Vice President & Provost Anticipated Date of Completion: April 30, 2024

The Downey Adult School concurs with the finding and to prevent future occurrences, the school purchased a new student database management software system (Campus Café) that was implemented on August 1, 2023. The school also partnered with National Student Clearinghouse (NSCH). NSCH articulates with the new student database management software system (Campus Café). The new student database management software system together with National Student Clearinghouse will help to prevent human errors and omissions from occurring when reporting National Student Loan Data System (NSLDS) data. While the district purchased the new system in November of 2022, the school did not begin using the new system(s) until August of 2023 because the switch had to be implemented at the beginning of the fiscal year. Implementation is a several month process and all DAS employees have been receiving extensive training (ongoing) to be proficient and comfortable with the new system(s). We have ongoing weekly training for all DAS staff as we continue to fully implement the new student database management software system.

CORRECTIVE ACTION PLAN Oversight Agency for Audit: U.S. Department of Education The City of Haverhill, Massachusetts respectfully submits the following corrective action plan for the year ended June 30, 2023. Name and address of independent public accounting firm: Powers & Sullivan, LLC 100 Quannapowitt Parkway, Suite 101 Wakefield, MA 01880 Audit period: July 1, 2022 through June 30, 2023 The finding from the June 30, 2023, schedule of findings and questioned costs is discussed below. The finding is numbered consistently with the number assigned in the schedule. FINDINGS—FEDERAL AWARD PROGRAMS AUDITS U.S. DEPARTMENT OF EDUCATION Passed through the Massachusetts Department of Elementary and Secondary Education Title I Grants to Local Educational Agencies Title I Grants to Local Educational Agencies Federal Assistance Listing No. 84.010 Special Education Cluster Special Education Grants to States and Special Education Preschool Grants Federal Assistance Listing Numbers, 84.027 and 84.173. COVID-19 Education Stabilization COVID-19 Education Stabilization Federal Assistance Listing Numbers, 84.425, 84.425C, 84.425D, 84.425U, and 84.425W Twenty-First Century Community Learning Centers Twenty-First Century Community Learning Centers Federal Assistance Listing Numbers, 84.287 and 84.287C 2023-001: Controls for Monitoring Payroll Charged to the Grant Compliance Requirement: Allowable Costs/Cost Principles Type of Finding: Compliance and Significant Deficiency in Internal Control over Compliance Criteria or Specific Requirement: Grantees must provide reasonable assurance that Federal awards are expended only for allowable activities and that the costs of goods and services charged to Federal awards are allowable and in accordance with the applicable cost principles. Condition: Management has not established written guidelines and procedures outlining the time and effort reporting and documentation requirements that department heads must adhere with to ensure compliance with federal and state time and effort reporting requirements. Such guidelines and procedures should indicate under what circumstances semi-annual certifications and personnel activity reports (PARS) are required and should indicate due dates for when this information must be provided to the school business office. Management also has not adopted and implemented standardized forms for semi-annual certifications and PARS that include all data required by federal and state guidelines. Questioned Costs: None reported. Context: Payroll expenditures charged to the programs are required to be supported with documentation substantiating that the employees are eligible to be charged to the grant and that the payroll charged relates to time spent accomplishing grant objectives. This supporting documentation should be standardized and should include all required elements in accordance with Title 2 U.S. Code of Federal Regulations Part 225 Cost Principals for State, Local, and Indian Tribal Governments. The City did not have an adequate system of internal controls in place to provide sufficient documentation to demonstrate compliance with federal and state time and effort reporting requirements in accordance with the provisions of Title 2 U.S. Code of Federal Regulations Part 225 Cost Principals for State, Local, and Indian Tribal Governments. Effect: The City has not complied with the federal and state time and effort reporting requirements. Cause: Lack of documented policies, procedures and guidelines in place to ensure compliance with time and effort reporting requirements. Repeat Finding: This matter was reported as a finding for the Title I major program and special education cluster grants in the previous year as finding 2022-001. Recommendation: Management should establish written guidelines and procedures outlining the time and effort reporting and documentation requirements that department heads must adhere with to ensure compliance with federal and state time and effort reporting requirements. Such guidelines and procedures should indicate under what circumstances semi-annual certifications and personnel activity reports (PARS) are required and should indicate due dates for when this information must be provided to the school business office. Management should also adopt and implement standardized forms for semi-annual certifications and PARS that include all data required by federal and state guidelines. Once the written guidelines and procedures have been established, training should be provided to ensure that the program managers fully understand the time and effort reporting requirements. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and will establish written guidelines and procedures outlining the time and effort reporting and documentation requirements that department heads must adhere with to ensure compliance with federal and state time and effort reporting requirements. Such guidelines and procedures will indicate under what circumstances semi-annual certifications and personnel activity reports (PARS) are required and will indicate due dates for when this information must be provided to the school business office. Management will also adopt and implement standardized forms for semi-annual certifications and PARS that include all data required by federal and state guidelines. Once the written guidelines and procedures have been established, training will be provided to ensure that the program managers fully understand the time and effort reporting requirements. Management intends to implement these procedures in fiscal 2024. If the Oversight Agency has questions regarding this plan, please call Michael Pfifferling, Assistant Superintendent of Finance and Operations at 978-374-3400. Sincerely yours, Michael Pfifferling Assistant Superintendent of Finance and Operations City of Haverhill

Corrective actions: As a result of a cyber-event in 2021 and a program review conducted by the U.S. Department of Education, EWC initiated a comprehensive assessment of information technology and security to ensure compliance with the Gramm-Leach-Bliley Act (GLBA) and industry protocols. EWC hired an educational law firm, Parker & Poe and Associates, to evaluate and prepare policies in accordance with legal requirements. These policies, Board Policies 7.0 through 7.5 (as renumbered), have been reviewed within the College administration and presented to the Board of Trustees for first reading in October 2023. EWC anticipates the final approval and adoption will occur on December 12, 2023. Additionally, EWC foresees finalizing supporting administrative regulations on or before December 31, 2023. The policies and regulations are designed to ensure a comprehensive information security plan and GLBA compliance while meeting the requirements of the U.S. Department of Education. Anticipated completion dates: December 12, 2023 (Policies) and December 31, 2023 (Regulations) Contact person: Vice President Administrative Services - Patrick Korell

Corrective actions: In September 2023, EWC Financial Aid implemented a permanent fix utilizing the Colleague Process Handler, which automates disbursement notifications. The automated disbursement process is set to run weekly and ensures time sensitive acknowledgement to aid recipients. Completion date: September 2023 Contact person: Director of Financial Aid - Rebecca McAllister

Corrective actions: EWC Financial Aid actively addressed the issue of awards not showing in the Common Origination and Disbursement (COD) system. EWC has implemented a new process utilizing the Colleague Transfer Monitoring system to ensure NSLDS accepts the NSC enrollment information. In the event that EWC’s HCM2 status prevents automatic reporting, EWC Financial Aid will update NSLDS monthly. Completion date: October 2023 Contact person: Financial Aid Director - Rebecca McAllister ________ Student with reported program length: EWC has set internal controls to ensure the proper settings within Colleague are selected, including setting years as a default instead of months. EWC Financial Aid and EWC Academic Services will review and evaluate each program and ensure that the proper default is selected to ensure accurate program reporting. Anticipated completion date: December 2023 Contact people: Financial Aid Director - Rebecca McAllister and Admin. Specialist - Lynn Wamboldt _________ Students with a program date from Colleague that did not match NSLDS: The Colleague student-information system will be updated to define the parameter of start date as the first day of each semester. This software patch will ensure Colleague matches the reporting parameters utilized by NSLDS. Anticipated completion date: January 2024 Contact people: Data Analyst - Xi Feng and CIO -Tyler Vasko

Management's Response: We concur. View of Responsible Officials and Corrective Action Plan. Return of Funds - The Campus Business Office and the Financial Aid Office met to review the untimely return of funds. We determined and immediately implemented a restructured process where the R2T4 specialist in financial aid will review student accounts that require R2T4 calculations on a weekly basis. The students will be posted to the shared database between Financial Aid and the Business Office. The dedicated weekly time will expedite the calculation process. The Business Office, as part of the updated process will continue to treat the R2T4 award adjustments as a priority. In addition to the existing process of end of month reconciliation and return of funds, a mid-month returning of funds was added and implemented. The dedicated weekly timeline to calculate, as well as the added mid-month return of funds, will ensure that we meet the required return of funds within the 45-day window. The offices will meet to review this updated process and make any additional changes should they be necessary to maintain compliance. Calculations - To ensure compliance with calculations processed timely, we will relieve the R2T4 specialist of other responsibilities so he can dedicate 100% of his time to calculate within the required timeframe. In addition, there will be additional staff assisting with calculations because the institution closes for a 10- day period which impacts the 30-day timeframe. This will ensure that all calculations are done. Implementation Date: 11/15/2023