Corrective Action Plans

Finding 2023-002 – Significant Deficiency Assistance List Number: 97.039 – Hazzard Mitigation Grant Pass-through Agency: California Governor’s Office of Emergency Services, FEMA-4344-DR-CA. Compliance Requirement: Reporting. Condition: The District did not provide project closeout materials to the pass-through agency within 90 days of the end of the period of performance so the pass-through agency could prepare the closeout reporting within 120 days of the end of the period of performance. Criteria: The Notice of Funding Opportunity indicates: “In addition, pass-through entities are responsible for closing out their subawards as described in 2 C.F.R. § 200.344; subrecipients are still required to submit closeout materials within 90 calendar days of the period of performance end date. When a subrecipient completes all closeout requirements, pass-through entities must promptly complete all closeout actions for subawards in time for the recipient to submit all necessary documentation and information to FEMA during the closeout of the prime award.” Cause: The District’s staff were waiting for a requested extension for the period of performance from the pass-through agency and assumed the closeout reporting would not be necessary. Effect: The District is not in compliance with the terms and conditions of the federal award. Recommendation: We understand the District provided the information necessary to complete the closeout reporting to the pass-through agency on November 30, 2023. Views of Responsible Officials and Planned Corrective Actions: As indicated in the recommendation, the District provided the information necessary to complete the closeout reporting to the pass-through agency on November 30, 2023. Furthermore, on March 22, 2024, the District heard from the pass-through agency that FEMA received the requested extension, and it is in the queue for final approval and signature. The corrective action has been completed.

Higher Education Emergency Relief Funds – Assistance Listing No. 84.425 Recommendation: We recommend the University review their reporting procedures to ensure reports are being uploaded and submitted timely. University of Maine at Farmington Condition: During our testing of 11 quarterly reports, it was noted that University of Maine at Farmington (UMF) had two reports of two sampled that were not submitted timely. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The upcoming reporting requirements have been added to the calendar and invoicing spreadsheet of UMF’s Director of Finance. Additionally, due dates and requirements are noted by both UMF’s Chief Business Officer (CBO) and its Vice President for Student Affairs and Enrollment Management. The CBO will continue to perform a final review prior to submission. Name(s) of the contact person(s) responsible for corrective action: Kathleen Falco, Director of Finance for the University of Maine at Farmington Planned completion date for corrective action plan: Completed

Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend the University review their reporting procedures to ensure that students’ statuses are accurately and timely reported to the National Student Loan Data System (NSLDS) within the appropriate timeframe as required by regulations. University of Maine Condition: During our testing of 40 students, we noted that seven of the 17 University of Maine (UM) students tested had changes in enrollment status that were not reported in a timely manner. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The University will update its protocols for post-term reporting to the National Student Clearinghouse (NSC) each academic term to ensure students who have applied for graduation, and are pending final eligibility review, are assigned a withdrawn status until such time their degree(s) are conferred or they are reported as enrolled in a future term. Guidance received from the NSC School Operations team has been forwarded to UMS:IT, and steps to identify (or develop) and deploy the necessary reports are underway. The first round of updated reporting protocols are planned to take place in May 2024, for Spring 2024 graduation applicants. Name(s) of the contact person(s) responsible for corrective action: W. Sam Carrell, Registrar for the University of Maine Connie Smith, Director of Financial Aid for the University of Maine Planned completion date for corrective action plan: May 2024

Condition: For a sample of tenants selected in conjunction with eligibility testing, the Commission did not correctly calculate family income composition, and did not retain required documentation supporting eligibility determinations. Planned Corrective Action: The Commission is implementing a plan to audit internally 100 percent of all tenant files in our Low Income Public Housing (LIPH) program. This plan involves both the use of experienced employees and an outside consultant. The plan includes updating and automating files, identifying recurring compliance issues, and expanding formal training and specific training from the consultant. In addition, an additional level of review will be put in place to assist in catching any inconsistencies. The Commission has added additional employees to the LIPH program, which include an operations manager and a staff person. These additional resources will be incorporated into our overall plan to increase our compliance controls. Contact person responsible for corrective action: Steve Raiche Anticipated Completion Date: 6/30/2024

Condition: For a sample of tenants, a recertification was not completed properly, resulting in an incorrect calculation of housing assistance payments to be received. Planned Corrective Action: The Commission acknowledges the incorrect subsidy calculations and has issued refunds to the tenants in the amount of underpayment of subsidy. The Commission has also adjusted future funding requests for the overpayment of subsidy. Contact person responsible for corrective action: Steve Raiche Anticipated Completion Date: 6/30/2024

Audit Finding Reference: 2023-001 Improve Controls Over Reporting Planned Corrective Action: 1. Request a list from DHHS of definitions of income types by program in the Quarterly Reports. Ensure that this list provides clarity on how to report income that is not explicitly tied to a single program. 2. Review AFY23 and AFY24-to-date reports against these criteria (once received), and re-submit any reports which may need to be modified to comply with the guidance. 3. Going forward, the Quarterly Reports will be generated differently. The Client Services Manager will prepare actuals by program for number of clients and units. The Director of Administration will prepare actuals by program for income and expense. The Executive Director will compile the final report, which will not be submitted until both the Client Services Manager and Director of Administration have both checked the reports and electronically signed them. In the absence of specific guidance from DHHS to the contrary, any non-program-specific income will be allocated to programs by share of service units delivered. Planned Implementation Date of Corrective Action: 1. 3/29/24. 2. 6/30/24. 3. 4/15/24. Person Responsible for Corrective Action: Tim Diaz, Executive Director

FA 2023-001 Strengthen Controls over Wage Rate Requirements Compliance Requirement: Special Tests and Provisions Internal Control Impact: Significant Deficiency Compliance Impact: Nonmaterial Noncompliance Federal Awarding Agency: U.S. Department of Education Pass-Through Entity: Georgia Department of Education Assistance Listing Number and Title: COVID-19 - 84.425U - American Rescue Plan Elementary and Secondary School Emergency Relief Fund Federal Award Number: S425U210012 (Year: 2021) Questioned Costs: None Identified Prior Year Finding: Not Applicable Description: A review of construction-related expenditures charged to the Elementary and Secondary School Emergency Relief Fund programs revealed that the School District's internal control procedures were not operating to ensure that Wage Rage Requirements were followed properly. Corrective Action Plans: The School District will review and update the current procedures to ensure that the Wage Rate requirements are met. Estimated Completion Date: June 30, 2024 Contact Person: Dr. Samuel P. Light, Superintendent Telephone: (706) 359-3742 Email: slight@lcboe.us

DEPARTMENT OF HEALTH AND HUMAN SERVICES 2023-002 Head Start Program – Assistance Listing Number 93.600 Recommendation: We recommend procedures be implemented to file all required reports timely. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Program management has begun the process of strengthening procedures to timelier file all reports. Name(s) of the contact person(s) responsible for corrective action: Program management. Planned completion date for corrective action plan: As soon as possible.

The District agrees with the finding. The District's Registration and Attendance apparatus is undergoing a "makeover" as we speak under the guidance of the Superintendent of Schools such that this will not be a finding going forward.

Condition: The University did not accurately report the effective date of student's status change to the NSLDS. Of the 40 students selected for enrollment reporting testing, the effective date of the status change for 12 students was not accurately reported. Planned Corrective Action: The cause of the error has been found to be a software issue and the University is actively working with the vendor to determine the ultimate solution. The University has implemented additional controls to ensure that the accurate effective date is reported to the NSLDS in a timely manner. Contact person responsible for corrective action: Diane M. Praet, Associate Vice President and University Registrar Anticipated Completion Date: 3/31/2024

Action taken in response to finding: Fiscal Affairs will review reporting requirements for any funding received; communicate such requirements to the appropriate parties within the University; and coordinate with Office of Research & Sponsored Programs to ensure that the reporting requirement is met.

Action taken in response to finding: Fiscal Affairs will more carefully review methodologies provided by the granting agency when seeking funding, maintain more thoroughly documented records of any pertinent calculations and communications, and ensure that information is disseminated to appropriate parties.

We will review processes uon termination to ensure all necessary documentation is maintained.

Finding Number: 2023-001 Condition: The University did not report the status changes of certain students to the NSLDS in an accurate and timely manner during the fiscal year. Planned Corrective Action: Campus wide operational operation software (Workday) has already implemented software updates fixing this issue. The software upgrade occurred March 24, 2023, and was operational for the 23-24 academic year. Contact person responsible for corrective action: Not applicable Anticipated Completion Date: Not applicable

The City was not aware of the CDBG quarterly PR29 (SF-425) reporting errors. The City has trained staff and implemented revised policies and procedures when preparing the CDBG PR29 (SF-425) quarterly reports to ensure proper reporting of program income on hand and the appropriate federal expenditures utilizing both federal grant and program income.

Corrective Action: After the Food and Nutrition Director reviews the monthly claims, she will send an email noting her approval, before the claim is submitted to the state. This email approval will be attached to the journal entry support that is posted in the financial system when recording the revenue. Contact Person: Amanda Miller, Director of Food & Nutrition Services and Logistics / Ray Serrano - Accountant Anticipated Completion Date: June 30, 2024

CORRECTIVE ACTION PLAN FOR THE YEAR ENDED JUNE 30, 2023 Title 2, U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), Subpart F, Section 511 – Audit Findings Follow-up requires the auditee to prepare a corrective action plan to address each audit finding included in the current year auditor’s reports. The Corrective Action Plan for Current Year Findings present our corrective action plan for the Financial Statement and/or Federal Award Findings described in the accompanying Schedule of Findings and Questioned Costs for the period ended June 30, 2023. Finding 2023-001 Responsible Party Name: Amy Spaeth Position: Co-CEO – Management Agent Telephone Number: 816-236-2435 Federal Agency U.S. Department of Housing and Urban Development Federal Program Supportive Housing for Persons with Disabilities (Section 811) Compliance Requirements N – Special Tests and Provisions Finding Type Federal Awards Auditee’s Comment on Finding We agree with the auditor’s finding. Corrective Action We have deposited the shortfall of $4,320 into the reserve for replacement account in July 2023. We will follow our process to deposit and reconcile the reserve for replacement account on a monthly basis. Anticipated Completion Date N/A

The City of Portsmouth, New Hampshire respectfully submits the following corrective action plan for the year ended June 30, 2023. Audit period: July 1, 2022 – June 30, 2023 The finding from the schedule of findings and questioned costs is discussed below. The finding is numbered consistently with the number assigned in the schedule. FINDING—FEDERAL AWARD PROGRAMS AUDITS DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT 2023-001 Community Development Block Grant - Assistance Listing Number 14.218 Recommendation: We recommend the City enhance internal controls and procedures to comply with all FFATA reporting requirements. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Some FFATA reports were not entered timely into FSRS in FY 23. This was due to an incomplete understanding about the requirement as well as no FFATA reporting requests by the federal granting agency (HUD) to the City. All required FFATA reports were entered into the FSRS after the deadlines, and City staff responsible for FFATA reporting have completed additional training on the requirements. We do not anticipate untimely reports to the FSRS in the future. Name(s) of the contact person(s) responsible for corrective action: Elise Annunziata, Community Development Director Planned completion date for corrective action plan: All required FFATA reports were already entered into the FSRS, and City staff responsible for FFATA reporting have completed additional training on the requirements. We do not anticipate untimely reports to the FSRS in the future.

The implementation of the Corrective Action Plan 2023-003 will ensure that complete reports are submitted for the validation of the compliance with this finding. Additionally, we will analyze our approved budget by ACUDEN to meet supplemental the terms and conditions of the Child Care and Development Fund Program. Implementation Date: Fiscal Year 2023-2024 Responsible Person: Mr. Ángel L. Reyes Matos, Finance Director

As an internal control, the accountant in charge of the program will keep monthly reports of the expenditures to expedite the collection of information and submit timely and complete reports. The documentation of the reports will be physically filed and digitally saved in the accounting files. Implementation Date: Fiscal Year 2023-2024 Responsible Person: Mr. Ángel L. Reyes Matos, Finance Director

Internal control procedures will be strengthened between Financial Aid, the Registrar’s Office, and the Bursar’s Office.

During the year-end audit testing phase, the Financial Aid office was notified in August 2023 of the deficiencies noted on this finding. The Financial Aid office immediately took action to implement the recommendations in August 2023. The District established effective controls in August 2023 to ensure the return of funds occurs within 45 days from the date the institution determines the student withdrew from all classes and that the withdrawal determination is performed within the required timeframe. Additionally, the District implemented procedures in August 2023 to ensure that the academic calendar loaded in the financial aid software is accurate and based on the most up to date information. The District implemented procedures in August 2023 to ensure that the correct student status is utilized in the calculation of Return to Title IV.

Finding 2023-002 Sept. 27, 2023 Criteria: The College is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including a written information security program policy that addresses the six required minimum safeguard elements identified within 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal written policy was not completed and documented in fiscal 2023 which would have addressed the required written policy noted in 16 CFR 314.4 (b). Corrective Action Plan: • The College agrees and concurs with the audit finding. • The College is working with a cybersecurity partner, OculusIT (OculusIT.com) to assist us with GLBA compliance and cybersecurity hardening of the college’s IT infrastructure. OculusIT will assist us in preparing the required documentation that addresses risk assessment of all three areas noted in the finding. Many elements of GLBA compliance have already been put in place as elaborated below. • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). Vince Vargiya is the College’s designated qualified individual. • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). OculusIT will undertake a GLBA risk assessment covering the following areas of the College: o Senior Management o IT Security o Admissions o Registrar Office o Financial Aid Office o HR and Payroll o Student Financial Services o Library Work on completing pre-audit questionnaires for each area is in progress. • Regarding a written information security policy that addresses the minimum safeguard requirements, see below. • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: o Implement and periodically review access controls. We regularly review access controls to systems containing financial data. Our formal policy will document this. o Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. We maintain a server inventory, noting which sites contain financial information. Our formal policy will document this. o Encrypt customer information on the institution’s system and when it’s in transit. Our server data is encypted using standard SQL TDE encryption. All data transmitted to off campus partners uses the sftp protocol. Our formal policy will document this. o Assess apps developed by the institution. The College’s enterprise apps are commercially sourced, updated using vendor supplied processes per annual support contracts, and not developed in-house. Our formal policy will document this. o Implement multi-factor authentication for anyone accessing customer information on the institution’s system. All users who access Jenzabar (SIS, Financials), PowerFaids (Financial Aid) must use DUO MFA. RaisersEdge (Advancement/Donor Management) employs text or email MFA. All email accounts are secured with google 2 step authentication. Our formal policy will document this. o Dispose of customer information securely. When server hardware is decommissioned, the data drives are physically smashed. When leased endpoint systems are returned to the leasing company, their hard drives are wiped using standard software. Our formal policy will document this. o Anticipate and evaluate changes to the information system or network. We meet regularly with OculusIT to discuss changes to the network. Our endpoints are monitored for malware via a managed detection and response system. Our servers and network switches are monitored 24/7 by the Oculus SOC, and unusual events are flagged and presented to us for analysis. Our formal policy will document this. o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. We have implemented a SIEM server which monitors server and network access and activity and is monitored by the OculusIT SOC. Our formal policy will document this. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). We have implemented a SIEM server which monitors server and network access and activity and is monitored by the OculusIT SOC. We receive weekly reports on any server vulnerabilities. We actively work to remediate identified vulnerabilities. We have implemented annual penetration testing, and have completed testing for 2023. We have remediated identified penetration issues. Our formal policy will document this. • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). We require semi annual security awareness training and monthly phishing testing through KnowBe4. Our formal policy will document this. • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). We require providers to submit SOC1 or HECVAT documentation. Our formal policy will document this. • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). We work with OculusIT to follow up on results of testing and risk assessments. For example, we rescan our network to follow up on the results of pen testing. We meet with the Oculus SOC team to discuss server vulnerabilities uncovered on a monthly basis. Our formal policy will document this process. Names of Contact Persons Responsible for Corrective Action Plan: Gary Rodman (Senior Director of Information Technology), rodmang@ripon.edu, 920-748-8343 Vince Vargiya (Vice President Information Security | CISO, OculusIT) vince_varigiya@oculusit.com 844-462-8587 ext. 193 Anticipated Completion Date: Implementation of this plan began in March 2023, focusing on infrastructure hardening. Formal written polices will be put in place no later than June 30, 2024.

Finding 2023-001 Sept. 26, 2023 Criteria: The College is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that Department of Education (DOE) considers high risk. Statement of Condition: Management's review of the enrollment reporting did not detect errors on certain student data elements. Certain student records within the NSLDS were identified with inaccurate data elements. Corrective Action Plan: • The College agrees and concurs with the audit finding. • The Registrar’s Office has reviewed and remediated all files that were not accurately reported data elements in NSLDS as of September 2023. • The Registrar’s Office will work with the Financial Aid Office to review and regularly monitor student campus and program level enrollment status, especially in the cases of those that have dropped below full time, and are no longer enrolled for various reasons. • The Registrar’s Office will monitor the NSC error report which states discrepancies between NSC and NSLDS. • The Registrar’s Office will work with NSC to remediate processing issues between NSC and NSLDS reports in order to ensure that NSLDS is receiving accurate information. Names of Contact Persons Responsible for Corrective Action Plan: Michele Wittler (Associate Dean of Faculty and Registrar), wittlerm@ripon.edu, 920-748-8119 Katy Crane (Assistant Registrar), cranek@ripon.edu, 920-748-8119 Linda Kinziger (Director of Financial Aid), kinzigerl@ripon.edu, 920-748-8358 Anticipated Completion Date: This plan has been implemented with corrections already made as of September 2023 by the Registrar’s Office. It will be finalized with the fiscal year June 30, 2024 year-end review of Enrollment Reporting.

2023-007: Special Tests & Provisions Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Type of Finding: Significant Deficiency in Internal Control over Compliance Other Matters Recommendation: ISU should implement procedures to ensure that enrollment data, changes in status and effective dates within NSLDS match the records of the intuition and are reported timely. We also recommend that the University implement a formal review procedure to document the review process. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: During our discussion, it became apparent that a significant portion of the findings pertaining to the Office of the Registrar stemmed from enrollment status change not being reported to NSLDS within 60 days. To remedy this, we have added three new automated enrollment uploads right after the upload of the graduation file respectively in Fall, Spring and Summer. The three automated enrollment uploads to be sent to NSLDS are scheduled as follows: 1. On February 16; 2. On June 3; 3. On September 1. Name(s) of the contact person(s) responsible for corrective action: Hala Abou Arraj, Registrar Planned completion date for corrective action plan: Implemented in February 2024