Corrective Action Plans

Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Mount Mercy University’s information technology department has implemented an annual process to review access controls and ensure access is only provided to authorized individuals. Authorized users will only have access to sensitive information which is required to perform their roles and responsibilities. Name(s) of the contact person(s) responsible for corrective action: Curtis Sanders Planned completion date for corrective action plan: 06/30/2025

Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Item was in reference to Perkins Loans that were assigned to ED. While the University does not disagree with the fact that three MPN’s were unavailable, each were old Perkins Loans, and each were successfully assigned to ED utilizing alternative documentation, as suggested by ED. The University has a current process in place to retain all information in student files for a minimum of three years. Name(s) of the contact person(s) responsible for corrective action: Mark Freed Planned completion date for corrective action plan: 06/30/2025

Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: This process is being reviewed with the Registrar’s Office, as they complete enrollment reporting through the Clearinghouse. The University has found that some delays are happening due to the lack of federal aid at the initial time. For example, one student started in Fall 2023 and the University has documentation to reflect the student was reported to Clearinghouse within the required timeframe. However, the student had not completed Entrance Counseling or a Master Promissory Note, thus they had not received Title IV aid and were not included in the request file from NSLDS to the Clearinghouse. The University will continue to review and make appropriate changes to the current process. Name(s) of the contact person(s) responsible for corrective action: Mark Freed Planned completion date for corrective action plan: 06/30/2025

Federal Agency Name: Department of Housing and Urban Development Program Name: Section 242 – Mortgage Insurance - Hospitals Federal Financial Assistance Listing #: CFDA #14.128 Compliance Requirement: Special Tests and Provisions Finding Summary: During the fiscal year, the Organization entered into a 5-year lease on equipment. A financing lease is identified in the Mortgage Note Insured by HUD as the incurrence of additional indebtedness which, by terms of the agreement, should be approved by HUD in advance of entering into the finance lease agreement. Responsible Individuals: Jay Hodges, Chief Financial Officer Corrective Action Plan: Management will enhance internal controls to ensure additional indebtedness is approved by HUD in advance of entering into the finance lease agreement. Anticipated Completion Date: December 10, 2024

The Attendance and Records Center (ARC) team has put in place a process to check students with any cohort removal codes on a weekly basis, and ensure any required backup documentation is scanned into Aeries. Additionally, all staff received training on the Status Change form and the cohort exit codes that require backup documentation. The ACCESS Administrative Guidelines and Procedures Manual was also shared with staff, including section 3.9 addressing, "Documentation and Evidence Required in Order to Remove a Student from the High School Graduation Rate Cohort." All new staff will receive a copy of the manual. In response to the 2023-2024 audit additional measures have been taken in perpetuity: a) Every four weeks a sql query is run to find all cohort removal exit codes. Each one is confirmed or changed according to the documentation provided. b) Each year we re-train the enrollment staff to follow procedures in alignment with the state requirements. The meeting for this year was held on May 22, 2024 and it will be reviewed again in the Spring. c) Internal Policy and Procedure reflects not only the importance of proper documentation but provides details about what the documentation should be. These monitoring steps will ensure that this will not be a finding in the following year.

Federal Programs: Social Services Block Grant ( ALN 93.667) and Formula Grants for Rural Areas (ALN 20.509) Finding 2024-1: Significant Deficiency. Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: An effective internal control system was not in place to ensure compliance with requirements related to the grant agreement and the allowable costs and allowable activities compliance requirements. Cause: Allocations based on timesheets were not correctly calculated and therefore the splits were not correct. Effect: The failure to establish an effective internal control system placed the Agency at risk of noncompliance with the grant agreement and the compliance requirements. A lack of effective reviews could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by the review process not ensuring there was accurate reporting of the activities of the programs. Repeat Finding: This is not a repeat finding. Questioned Costs: There were no questioned costs identified. Recommendation: Add additional reviews or calculation checks to make sure the percentage of payroll is correctly split across the various grant awards based on time spent for each grant category. Views of responsible officials and planned corrective actions: Management is in agreement with the finding and has prepared a corrective action plan.

Views of Responsible Officials and Planned Corrective Actions: The deposits will be made as cash flows permits. The collection of tenant receivables and subsidy payments will improve as new property management team stabilizes operations by reducing turnover and increasing use of new property management system once fully implemented.

Views of Responsible Officials and Planned Corrective Actions: The planned corrective action did not take place as cash flow issues persist. The deposits will be made as cash flows permits. Inglis is in process of billing prior year amounts that are now in compliance and current year amounts.

Finding Reference Number: 2024-004 Initial Fiscal Year: 2023 Summary of Finding: Significant Deficiency: Disbursement Notifications (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; U.S. Department of Education, Teacher Education Assistance for College and Higher Education Grants, ALN #84.379) (Repeat Finding: 2023-005) In accordance with 34 CFR 668.165(a)(2), when a University credits a student’s account, the University must notify the student or parent of (i) the anticipated date and amount of the disbursement, (ii) the student’s or parent’s rights to cancel all or a portion of that loan or disbursement, and (iii) the procedures and time by which the student or parent must notify the University that he or she wishes to cancel the loan or disbursement. This communication must occur no earlier than 30 days before, and no later than seven days after, crediting the student’s ledger account at the institution if the institution does not obtain affirmative confirmation from the student. During the 2024 audit, it was noted that 13 of 38 students, or 34.2%, who had received Direct Loan funds and/or TEACH grant funds did not receive disbursement notifications due to a system failure. The failure was not noticed to be able to remedy the situation timely. The University should ensure system functionality periodically, specifically entering periods in which disbursements are concentrated, such as the beginning of the semester, to prevent lapses in mass. The University should also create a process to verify that disbursement notifications have been distributed as intended, so that any missed notices can be remedied timely. Entity’s Corrective Action Plan Corrective Action Plan Summary: The University has taken a comprehensive and proactive approach to address this issue through two key initiatives. First, we have instituted a robust audit process designed to ensure the integrity and functionality of the system responsible for documenting sent emails. This process enables us to systematically verify that the system is operating as intended. Second, we have deployed advanced software solutions that serve to mitigate the risk of similar issues arising in the future. These combined measures reflect our commitment to ensuring operational reliability and preventing recurrence. Anticipated Completion Date: October 1, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid

Finding Reference Number: 2024-003 Initial Fiscal Year: 2024 Summary of Finding: 2024-003 Significant Deficiency: Direct Loan Limits (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) In accordance with the Federal Student Aid Handbook, Volume 3, Chapter 3, you must determine an undergraduate student’s Pell Grant eligibility before originating a Direct Subsidized or Unsubsidized Loan for that student, and you must package Campus-Based funds and Direct Subsidized Loans before Direct Unsubsidized Loans. In addition, you must determine an undergraduate student’s maximum Direct Subsidized Loan eligibility before originating a Direct Unsubsidized Loan for the student. The student’s maximum annual loan limit increases as the student progresses to higher grade levels. During the audit, it was noted that the University did not fulfill maximum award of students’ Direct Subsidized Loan eligibility prior to awarding Unsubsidized Direct Loans for 3 of the 32 applicable students tested, which is a 9.4% error rate. This finding is monetary in nature. In the instances noted in testing, the total error is $5,983 in under-award. Extrapolation of this monetary error estimates a total potential error of $54,614. The University should institute processes and controls to ensure that the student eligibility is assessed properly based upon grade level progression and that maximum Subsidized Direct Loans are awarded prior to Unsubsidized Direct Loans, as this practice is more beneficial for the student. Entity’s Corrective Action Plan: Corrective Action Plan Summary: The University has determined that this finding was caused by a deficiency in the software’s calculation of the subsidized award. Specifically, the software failed to update the student’s records following changes in circumstances that impacted the calculation of financial need. In response, the University has conducted a thorough evaluation and implemented new software designed to address this issue and ensure accurate calculations in future cases. Anticipated Completion Date: November 1, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid.

Finding Reference Number: 2024-001 Initial Fiscal Year: 2023 Summary of Finding: Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-001) In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4 During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. An updated policy was put into place in July 2024, which addressed several of the deficiencies noted in the existing policy, but not all. The University should continue to update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively and timely. Entity’s Corrective Action Plan: The Johnson University IT Department has consistently worked to improve compliance with GLBA regulations since July 2023. The leadership of Johnson University has taken a proactive and measured approach to GLBA compliance that ensures a balance between reaching compliance quickly and reaching compliance with long-term strategic planning. This has led to a GLBA implementation that will take 2 or more years but will set up the university for long-term excellence in compliance and security. The University understands the importance of GLBA requirements and is committed to ensuring student data is protected from all foreseeable threats. It will continue to iterate on its GLBA corrective action plan to ensure proper compliance for long-term security. The Johnson University IT Department has developed a plan to address deficiencies in GLBA compliance in each of the following areas: Requirement 1 - Qualified Individual: 16 CFR 314.4(a) Johnson University has designated Tim Fisher as our Qualified Individual. Tim Fisher is an employee of Johnson University, serving in the IT Systems Analyst role, and will work alongside Johnson University’s IT Director to oversee the information security program and its implementation. While Tim has over 15 years of on-the-job cybersecurity experience, additional training resources have already been provided to Tim Fisher to pursue the CompTIA Security+ certification. Tim Fisher expects to complete the training and gain the certification by the end of 2025. This was deemed sufficient for GLBA compliance in the audit report provided by Blackburn, Childers & Steagall, PLC dated November 6, 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 2 - Risk Assessment: 16 CFR 314.4(b) Johnson University partnered with HORNE, a cybersecurity company, to conduct a risk assessment in November 2023. The assessment covered several topics and recorded inherent risk levels, existing mitigating controls, and the residual risk levels of each topic covered. Residual risk levels, the level of risk existing despite the existing controls, were found to be considered high in termination procedures and review of security logs. GLBA policy development and implementation decisions were based heavily on this initial risk assessment. A more comprehensive cybersecurity company with experience serving customers in Higher Education, DeapSeas, has been selected for ongoing cybersecurity assistance and will be conducting future risk assessments. Additional risk assessments are planned to be performed every 2 years to reexamine reasonably foreseeable risks and to account for changes in cybersecurity controls. The next risk assessment shall be completed by the end of 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 3.1 - Access Controls: 16 CFR 314.4(c)(1) Johnson University policy ensures that employee supervisors dictate appropriate access for each employee to the IT Department when they are hired or change positions. Supervisors are responsible for ensuring employees have appropriate access to locations where sensitive information is stored, such as file servers and Jenzabar (Student Information System) software access. The IT Department processes permission changes and does not provide permissions without explicit request from the employee supervisor. Auditing existing permissions is a weak spot that has, in the past, taken hours of manual work. We have purchased software, AD Manager, to assist with access reviews. We expect this software to be ready to audit necessary permission groups by the end of 2024. This should significantly reduce the time it takes to audit permissions through additional reporting and easy remediation features. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, instituting a continuous monitoring process undertaken at periodic intervals. The University has contracted with a new software to assist with this, which is expected to be live by December 31, 2024. Note from JU IT: Requirement 3.1, access control reviews, is complicated as each department supervisor is responsible for setting access permissions. The IT Department will need to engage department supervisors for review and approval. Due to the transition in the I.T. Director position, the expectation to be live should be adjusted to March 31, 2025. Requirement 3.2 – Data Identification: 16 CFR 314.4(c)(2) Informal identification has been completed by the IT Department through generalized asset inventory procedures. DeapSeas, our selected cybersecurity vendor, has been contracted to conduct a more formal data identification procedure in early 2025. This will identify critical items and analyze risks and responsibilities associated with each party. This procedure will take place through scanning the corporate network and interviewing departments on their data storage procedures. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Resolution to this matter is expected to be addressed and incorporated into the policy by December 31, 2024.” Note from JU IT: For requirement 3.2, data inventory, we’re already under contract with DeapSeas to do this. It will be completed by March 31, 2025. Requirement 3.3 – Encryption: 16 CFR 314.4(c)(3) Johnson University has had encryption in transit for several years but has not had encryption at rest. Johnson University purchased licenses to enable encryption at rest in October 2023 and finished a project to encrypt most virtual machines containing sensitive data using AES-256 and XTS-AES-256 encryption on April 29, 2024. The remaining virtual machines are planned to be encrypted before the end of 2024. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement.” Requirement 3.4 – Secure Development: 16 CFR 314.4(c)(4) Johnson University does not develop in-house applications for transmitting, accessing, or storing customer information. A combination of the risk assessment, vendor analysis, and penetration testing will assess the security of externally developed applications. The risk assessment has already been completed, but further vendor analysis and penetration testing are planned to be completed by the end of June 2025. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University does not develop in-house applications for transmitting, accessing, or storing customer information.” Requirement 3.5 – Multi-factor Authentication: 16 CFR 314.4(c)(5) Johnson University has enabled multi-factor authentication on all connections to the server where our student information system (Jenzabar One) is accessed. Multi-factor authentication is also enabled for all logins to Office 365 and integrated applications, such as Zoom videoconferencing, our student/employee portal, Jenzabar Financial Aid (financial aid management system), and Jenzabar Recruitment (admissions software). Multi-factor authentication is also enabled on connections to our administrative systems, such as our network firewall, hypervisor, door access control, and security camera management systems. With multi-factor authentication requirements for all these systems, we believe that multi-factor authentication is enabled on all critical systems to protect student information. Evaluation of low-risk systems, such as our classroom audiovisual systems, for feasibility of multi-factor authentication are ongoing and expect to be completed by the end of 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University utilizes multi-factor authentication on all connections to the server where student information system is accessed, as well as administrative and financial applications.” Requirement 3.6 – Data Retention: 16 CFR 314.4(c)(6) Organizational data retention policies, developed by the Finance Department, are currently in effect. These policies were originally written for other means but have some overlap with GLBA regulations. Evaluation of these policies for effectiveness is ongoing and expected to be completed by the end of 2024. Future evaluations for the effectiveness of data retention policies will take place every other year in a joint venture with the Finance and IT Departments. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Evaluation of organizational data retention policies for effectiveness is ongoing and expected to be completed by December 31, 2024. Note from JU IT: Requirement 3.6, data retention policies, will require collaboration between Finance and IT. Finance’s existing policies on data retention need to be enhanced. This just takes time and decisions from the CFO (how long to retain and when to delete – IT will be enforcing the policy technically). Evaluation will be completed by June 30, 2025. Requirement 3.7 – Change Management: 16 CFR 314.4(c)(7) Change management procedures have been discussed and official policies are being developed. Evaluation of security risk and risk of downtime or other degradation of service are being considered in change management procedures. Official policies should be in place in 2025. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. Official policies should be in place by December 31, 2024. Note from JU IT: A change management plan will be completed by March 31, 2025. Requirement 3.8 – User Logging: 16 CFR 314.4(c)(8) User logging is in place for all log-ins to Office 365 log-ins to its services and integrated applications. Microsoft Entra sign-in risk and user-risk policies are in place to enforce stronger security measures during sign-in, force password resets, or deny sign-ins altogether based on risk analysis. Sign-ins to on-premises resources are logged through new software, Log360, implemented in March 2024. Log360 analyses log-ins and sends notifications to IT Department technicians via email for suspicious activity. IT will then process these reports to take appropriate action to resolve the threat unless there is sufficient evidence of a false positive. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Office 365 user logging has been in place; sign-ins to on-premises resources was implemented in March 2024. IT has processes in place for addressing suspicious activity.” Requirement 4 – Security Assessment: 16 CFR 314.4(d)(1) DeapSeas, a cybersecurity vendor, has been chosen to conduct security assessments. A security assessment is planned for early 2025. Ongoing, internal security assessments are planned on an annual basis to be conducted by the IT Department. These assessments will assist in evaluating the effectiveness of existing controls and the ongoing development of the security program. Software has also been purchased and implemented for continuous monitoring of vulnerabilities within organizational software. The software, Vulnerability Manager, provides notice of known vulnerabilities and available patches for software installed on devices within our organization. These notifications are distributed through the software and through email. Automated and semi-automated patches are available through the software to be deployed to organizational devices over the internet. Patching known vulnerabilities within our software portfolio is a priority for us. This system should reduce overall risk and patch effectiveness will be verified with penetration testing. Our first annual penetration test is planned for early 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 5 – Security Training: 16 CFR 314.4(e) Security training has been made mandatory for all employees beginning in Fall 2024. Security training is done through our online video training platform, KnowBe4. This system allows for video, quizzes, and other learning material to be presented to the employees. KnowBe4 develops this content and ensures accuracy and appropriateness. Johnson University IT Department selects available materials and assigns them to employees. Security training was last updated after the initial risk assessment and will be reviewed every 6 months. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 6 – Service Providers: 16 CFR 314.4(f) Collection of SOC2 security reports from vendors that have access to systems with student information is in progress. The collection and analysis of these reports is expected to be completed by the end of 2024. Review of these reports is planned to be conducted annually, with requests for updated security reports every 3 years. \ Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 7 – Security Control Monitoring: 16 CFR 314.4(g) Security controls are being monitored using Log360 wherever possible. Continuous evaluation of these controls is underway and adjustments will be made to security controls as needed. New change management policies and penetration testing will influence the way we evaluate these controls and will likely include changes to monitoring systems and evaluation methods. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Anticipated Completion Date: Fall 2026 Name and Title of Responsible Person: Luke Edwards, Director of IT.

Finding Reference Number: 2024-002 Initial Fiscal Year: 2024 Summary of Finding: 2024-002 Significant Deficiency: Return to Title IV Funds (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; Federal Pell Grant Program, ALN #84.063) In accordance with 34 CFR 668.22(f), in the calculation of the percentage of payment period and/or period of enrollment completed, the total number of calendar days in a payment and/or enrollment period includes all days within the period, except that institutionally scheduled breaks of at least 5 consecutive calendar days and days in which the student was on an approved leave of absence are excluded from the total number of calendar days in a payment period and/or period of enrollment. During the audit, it was noted that the University used the incorrect number of completed days in the payment period or period of enrollment in calculating the percentage of the Title IV aid earned. The audit included a detailed testing of 5 withdrawal student files, of which this significant deficiency applies to 1, indicating an error rate of 20.0%. This finding is monetary in nature. In the instances noted in testing, the total error identified is $1,992 in over-award. Extrapolation of this monetary error was not necessary as the 5 withdrawal students tested as part of the 2024 audit constitute the entire withdrawal population for the period under audit. The University should ensure that the number of completed days in the payment period or period of enrollment are counted correctly utilizing the guidance provided by the Compliance Supplement and the Student Financial Aid Handbook. Entity’s Corrective Action Plan: Corrective Action Plan Summary: The University has determined that this matter constitutes a unique training situation involving the application of procedures related to the Return of Title IV funds. In particular, the University recognizes the need for enhanced training concerning the accurate counting of days when a student withdraws, provides written notification of their intent to attend a future module within the same term, and subsequently withdraws from that second module. The error in question arose from the miscalculation of days, where the University inadvertently counted all days in the initial module rather than counting only the days leading up to the student's initial withdrawal prior to the final withdrawal from the second module. This oversight was attributed to an individual employee, and the University has proactively implemented comprehensive training and procedural safeguards to prevent similar occurrences in the future. Anticipated Completion Date: August 01, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid.

Name of Contact Person: Melanie Imholte Finance Director mimholte@soldotna.org 907-714-1224 Finding 2024-001 Reporting – Significant Deficiency in Internal Control Over Compliance Corrective Action The City of Soldotna will revise policies and procedures to ensure review and approval of grant reports being submitted. Expected Completion Date: Fiscal Year 2025

oronavirus State and Local Fiscal Recovery Funds – Assistance Listing No. 21.027 Recommendation: We recommend that the Organization implement controls to ensure that suspension and debarment verification is performed before entering into a covered transaction with a vendor. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: -New Vendor Form has been updated and includes the steps to verify each new vendor has been reviewed for disbarment and suspension prior to hiring the contractor. -All new contracts include a review of the purchasing department as part of the process before signing the contract. -Updated review of vendors used for federal funds will be done as new projects begin again as part of the update performed by the purchasing department. -Bidding process will also include a review of vendors and will start for any new bids going out after 1/1/2025. Name of the contact person responsible for corrective action: Angela Westwood, CFO Planned completion date for corrective action plan: Immediate with full review and changes to policies 11/30/2025 If the U.S. Department of the Treasury has questions regarding this schedule, please call Angela Westwood at (203) 562-2264.

Finding 2024-001 Condition: Supporting documentation was missing for 6 out of 98 disbursements selected for allowable costs testing during the audit. Without itemized receipts we were unable to determine if the purchases were allowable. However, the projection of the error was less than the $25,000 reportable limit of questioned costs. Cause: The Organization’s controls did not provide for supporting documentation to be adequately retained. Recommendation: We recommend that internal control procedures on recordkeeping and filing should be clearly stated as part of the Organization policy. Management Response: We concur with the finding. Corrective Action: 1. The Finance Committee will review and update the Organization's Policy to more clearly state expectations regarding control procedures on recordkeeping and filing. 2. Administrative staffer is being hired and will be responsible for streamlining supply ordering, setting up store accounts where possible to limit the need for in-store purchases, as well as the collection and filing of receipts. 3. Staff with credit cards will be retained regarding receipt retention procedures. Name of Responsible Person: Beth VanDerbeck

Enrollment Reporting Recommendation: We recommend the College strengthen its review and reporting procedures for enrollment status changes to ensure timely and accurate updates to NSLDS. View of Responsible Officials and Planned Corrective Actions: The College acknowledges the errors in the reporting and is updating its procedures to ensure prompt communication of status changes. Staff will receive training to correctly handle student enrollment updates, and the institution will implement additional checks to avoid future errors.

Disbursements to or on Behalf of Students Recommendation: We recommend the College review its refund procedures and implement controls to ensure refunds are disbursed within the required time frame. View of Responsible Officials and Planned Corrective Actions: The College will review its internal processes for handling refunds and ensure that future refunds are processed within the 14-day window. Training will be provided to the responsible staff to improve compliance with regulations.

Response – The Organization is committed enhancing its financial reporting process, particularly during the end of the year conversion from cash-based to accrual accounting, to ensure revenues and expenses are properly aligned with the correct fiscal years. In fiscal year 2024, two independent accounting firms supported the year-end financial reporting, and the Organization will continue collaborating with them or other qualified professionals to maintain accurate and comprehensive financial statements. Responsible party for corrective action – Dekow Sagar, Executive Director

Response – The accounting firm will refrain from entering expenses into the QuickBooks reconciliation unless supported by signed invoices. The Executive Director (ED) and Finance Manager will sign all recurrent payment invoices, regardless of the amount, prior to payment. Additionally, the Finance Manager, ED, and the accounting firm will cross-check transactions for accuracy. While we respect the auditor's recommendation, we consider it minor, as all purchases were accompanied by supporting documentation. The auditors requested additional invoice approval for all recurrent payments, such as subcontractor payments to Lincoln Literacy, despite the existence of binding agreements or MOUs governing those transactions. Responsible party for corrective action – Dekow Sagar, Executive Director

Contact person responsible for correction action – Michell Hall, CFO Anticipated completion date – June 30, 2024 Corrective action Sterling College agrees with the auditors finding regarding special reporting. We do not anticipate any issues with future reporting as we now understand the process for the reporting.

Contact person responsible for correction action – Mitzi Suhler, Financial Aid Director Anticipated completion date – June 30, 2024 Corrective action Sterling College agrees with the finding of the under award of the Federal Supplemental Education Opportunity funds. This was an oversight of the $100 threshold for awarding this fund. The financial aid office will review the awarding of this fund each year to ensure thresholds and awarding criteria are understood and followed.

In order to prevent students from being missed in enrollment reporting, the College has enhanced its process to include a check and balance of the 100% refund report provided by the Registrar's Office on the first day of school against the 75% and 40% refund reports; this review will ensure that all exited students are reported as exited in the approporiate timeframe. The Exit list report has historically had a column where the Registrar records the date when the student information is submitted to NSC (National Student Clearinghouse). We have now added a new field to the Exit list report that Financial Aid will be responsible for entering the date at which confirmation is made that the data is correct in NSLDS. The FA Office will be responsible for checking the NSC and NSLDS to ensure all withdrawn students are reported accurately. Following the 40% refund period, the College's Student Success Committee will review a list of students at risk of exiting, and will confirm that any exits after the 40% refund period have been accurately recorded.

12/16/2024 United States Department of Health and Human Services Betty Jean Kerr – People’s Health Centers respectfully submits the following corrective action plan for the year ended May 31, 2024. CohnReznick LLP 350 Church Street Hartford, CT 06103 Audit Period: May 31, 2024 The findings from the May 31, 2024 schedule of findings and questioned costs are discussed below. The findings are numbered consistently with the numbers assigned in the schedule. FEDERAL AWARDS FINDINGS AND QUESTIONED COSTS Section III‐ Federal Award Findings and Questioned Costs Community Health Centers, Affordable Care Act (ACA) Grants for New and Expanded Services Under the Health Center Program, COVID-19 Affordable Care Act (ACA) Grants for New and Expanded Services Under the Health Center Program Federal Assistance Listing Numbers: 93.224 and 93.527 Item 2024‐001 – Special Tests Recommendation The Center should establish a system of internal controls to ensure that all slide fee discounts are properly calculated based on family size and income. Repeat Finding Yes Action Taken 1. Upon notification of findings, new reporting structures and training were developed for the FOA staff. Direct governance was moved from finance to operations, and the scheduling supervisor was promoted to a newly created role entitled the Director of Patient Access. This role is directly responsible for training and the scheduling of FOA staff as well as data integrity of registration information. 2. Once developed, we provided targeted training sessions for all staff involved with the calculation of sliding fees on the policies and procedures to ensure:  The sliding fee guidelines document is known.  Understanding of the methodology for calculating fees, including how family size and income are considered.  Documentation required to support income and family size information provided by clients. This may include tax returns, pay stubs, or other relevant documents.  To use the standardized form (checklist) to ensure all necessary information is collected and verified. 3. We also have implemented a monthly audit process that randomly selects a sample of sliding fee patients. Selected patients’ files are reviewed to identify any potential discrepancies. If discrepancies are noted, prior to remediation, errors are documented so that thematic analysis can be conducted, and root causes can be identified. To ensure traction of the initiative, audit findings are presented monthly to the quality assurance and performance improvement committee. 4. We make every effort we can to effectively communicate the sliding fee scale to clients. In addition to face-to-face communication, it is presented openly in several locations throughout the agency and is also available on our website. We are aware that ensuring the continued compliance of the SFS scale determinations, as well as the financial accuracy of our books requires consistent and continuous commitment to quality and improvement. We are confident that the changes made to our internal controls will significantly strengthen our processes. We believe these measures will mitigate the risk of errors and inaccuracies in the future, providing greater assurance over the reliability of our financial reporting. If the Cognizant or Oversight Agency for Audit has questions regarding this plan, please call: Javier Vallejo, CFO at 314-482-0915. Sincerely yours, Javier Vallejo Chief Financial Officer

Student Financial Aid Cluster – Assistance Listing No. 84.063 & 84.268 Recommendation: We recommend that the College rebuilds the ‘Primary Program GT eForm’ to include a check that verifies all programs are not designated as Secondary. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Records staff now individually review each form submission to ensure a Primary program is appropriately assigned. In addition, a fix is being implemented to the District’s NSC file submission to verify students who have Primary and Secondary programs appear accurately. A cross-functional team has been established to create an audit report to scale NSC file submissions, as well. Name(s) of the contact person(s) responsible for corrective action: Laurie Grigg, Chief Financial Officer Planned completion date for corrective action plan: June 30, 2025

Student Financial Aid Cluster – Assistance Listing No. 84.063, 84.268, 84.007, 84.033 Recommendation: We recommend that the College verifies all withdrawal dates surrounding scheduled breaks. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The withdrawal date and student payment has been updated to reflect the appropriate calculation. Name(s) of the contact person(s) responsible for corrective action: Laurie Grigg, Chief Financial Officer Planned completion date for corrective action plan: June 30, 2025