Corrective Action Plans

Criteria: Institutions are required to report all Direct Loan (DL) disbursements and submit required records to the Department of Education's Common Origination and Disbursement (COD) which is a web-based system for processing, storing and reconciling DL financial aid data. Each month, the COD provides Institutions with a School Account Statement (SAS) date file which consists of a Cash Summary, Cash Detail and (optional at the request of the school) Loan Detail records. The school is required to reconcile these files to the Insitution's financial records ("DL Reconciliations"). While the University has made significant improvements in this reconciliation process and that of the other related federal award programs, there are still unreconciled differences in all three major federal pass-through program's reonciliations as noted in the financial statement audit. However, for FY23, these differences netted to an immaterial difference overall and were no adjusted / passed during the financial statement audit. However, differences still remain, and the reconciliation process still needs to be improved upon. The University concurs with the audit finding and will adhere to the corrective action plan. Corrective action: The Student Financial Aid activity was reconciled among the Registrar, Financial Aid, and Business Offices as of June 30, 2023, at detailed (student) level. Monthly reconciliations will be maintained effective July 2023. Responsible Person(s): Robert Merino, Executive Director of Financial Aid jrmerino@vuu.edu 218 795-6190. Planned Date of Completion of Corrective Action: December 31, 2023.

The University did not timely disburse a Pell grant to an eligible student within the payment period. Corrective Actions Taken or Planned: Run the pending Pell Grant report weekly and investigate any returning corrections that were delayed by CPS such as this case. Anticipated Completion Date: August 1, 2023 Contact Person: Julie Haack

The University did not accurately or timely report enrollment changes to the National Student Loan Data System (NSLDS). Corrective Actions Taken or Planned: Based on these circumstances of a reported status being overwritten by a monthly update, we will do a random audit of all reported withdrawn students to make sure the correct status has flowed through to NSLDS from NSLC Anticipated Completion Date: December 1, 2023 Contact Person: Julie Haack

Condition: The Institution does not have evidence that exit counseling was provided to students who withdrew or graduated as required by 34 CFR 682.604. Planned Corrective Action: The Iliff School of Theology has contracted with a professional, third-party processing company to administer its student aid programs. The school has also ensured that this third-party processor is properly coordinated with the registrar’s office to meet federal requirements for exit counseling when status changes are processed. Contact person responsible for corrective action: Jason Warr, VP for Business, Controller Anticipated Completion Date: May 2024

Condition: The Institution does not have a documented Direct Loan quality assurance program. Planned Corrective Action: The Iliff School of Theology has contracted with a professional, third-party processing company to administer its student aid programs. The school will coordinate with this third-party processor to ensure that there is a documented quality assurance program that is regularly exercised for compliance purposes. All documentation will be maintained. Contact person responsible for corrective action: Jason Warr, VP for Business, Controller Anticipated Completion Date: May 2024

Condition: Our audit procedures identified an instance where the Institution could not locate evidence that the required R2T4 calculation under federal regulation was completed. The total aid disbursed to this student was $5,125. Planned Corrective Action: The Iliff School of Theology has contracted with a professional, third-party processing company to administer its student aid programs. This third-party processor is adequately skilled to complete Return of Title IV calculations and includes an established review process for quality control. All documentation will be maintained. Contact person responsible for corrective action: Jason Warr, VP for Business, Controller Anticipated Completion Date: May 2024

Condition: The Institution does not reconcile institutional records with Direct Loan funds received from the Secretary of the U.S. Department of Education and the Direct Loan disbursement records submitted to and accepted by the Secretary of the U.S. Department of Education. Planned Corrective Action: The Iliff School of Theology has contracted with a professional, third-party processing company to administer its student aid programs who will ensure that direct loan reconciliations are conducted on a monthly basis in coordination with the business office. Contact person responsible for corrective action: Jason Warr, VP for Business, Controller Anticipated Completion Date: May 2024

Condition: Our audit procedures identified instances of inaccurate or untimely reporting of enrollment information to NSLDS. Planned Corrective Action: The Iliff School of Theology has contracted with a professional, third-party processing company to administer its student aid programs. The school has also ensured that this third-party processor is properly coordinated with the registrar’s office to meet federal requirements for NSLDS enrollment reporting. Contact person responsible for corrective action: Jason Warr, VP for Business, Controller Anticipated Completion Date: May 2024

Condition: Our audit procedures identified instances of MPNs not being properly maintained. Planned Corrective Action: The Iliff School of Theology has contracted with a professional, third-party processing company to administer its student aid programs. The school has also ensured that this third-party processor is properly reviewing MPNs to meet federal requirements. Contact person responsible for corrective action: Jason Warr, VP for Business, Controller Anticipated Completion Date: May 2024

Condition: The institution submitted a FISAP to the U.S. Department of Education that reported inaccurate information in several data fields within the report. In addition, there was no evidence that an individual other than the preparer reviewed the report. Planned Corrective Action: The Iliff School of Theology has contracted with a professional, third-party processing company to administer its student aid programs. Preparation and submission of the FISAP will be completed with coordination between the VP of Business and the third-party processor. This includes a quality review process for accuracy. Contact person responsible for corrective action: Jason Warr, VP for Business, Controller Anticipated Completion Date: May 2024

Condition: Due to the limited number of personnel within the Financial Aid Department, the director of financial aid is solely responsible for packaging, awarding, and disbursing to student accounts Federal Student Financial Aid (Title IV) as well as calculating return of Title IV funds for students who withdraw from the School to student accounts. The packaging of Title IV aid and the return of Title IV funds are complex calculations that are not formally reviewed by another employee. Planned Corrective Action: The Iliff School of Theology has contracted with a professional, third-party processing company to administer its student aid programs. This third-party processing company is structured to properly segregate financial processing and includes a quality review function. Contact person responsible for corrective action: Jason Warr, VP for Business, Controller Anticipated Completion Date: May 2024

Since August 2022, the Financial Aid Office has been responsible for enrolment reporting. The contract with the third-party vendor was terminated, and the process was reassigned to the Financial Aid Office. As of August 2022, the Financial Aid Office staff is required to update the roster monthly through the NSLDS website, no later than 15 days after receiving it. The Registrar’s Office generates a graduate student report at the end of each academic period, and the Financial Aid Office updates the student statuses on the NSLDS website.We commit to implementing the corrective plan for this finding by March 31,2025.

Management will be more vigilant and will review future filings before they are published.

The financial aid department has developed a Direct Loan workflow process in accordance with federal guidelines. Utilizing Colleague's software, the financial aid office can now accurately assess students' aid eligibility to ensure they are appropriately awarded. Colleague has Award Eligibility Critiera (AEC) rules invoked at transmittal to determine if the student is eligible to receive loan funds.

The Univesity implemented a comprehensive ERP software tool, Ellucian Colleague in FY2021 and FY2022 and hired more staff. The built-in internal control structure, which includes access to enrollment reports and data coupled with a complete reconciliation process with the Office of Financial Aid, Office of the Registrar and Student Account wills prevent this from recurring.

Return of Title IV (R2T4) Calculations Planned Corrective Action: Southwestern Christian University will provide more training and resources regarding the R2T4 process of modular withdrawals. Southwestern Christian University will have all R2T4's reviewed by a second financial aid staff member. Person Responsible for Corrective Action Plan: Rita Palmer, Director of Financial Aid/Fully Disbursed, Third­ Party Servicing Agreement Anticipated Date of Completion: Immediately

Credit Balances and Heightened Cash Monitoring 2 (HCM2) Compliance Planned Corrective Action: Southwestern Christian University will provide ongoing training to current staff as well as new staff on HCM1 and/or HCM2 compliance regulations with the Department of Education. SCU will have additional staff review student accounts for credit balances that would result from disbursements of Title IV Aid. Person Responsible for Corrective Action Plan: Rita Palmer, Director of Financial Aid Anticipated Date of Completion: Immediately

Audit Period: June 20, 2022 The finding from the June 30, 2022 Schedule of Findings and Questions Costs is discussed below. The Corrective Action Plan does not include the corrective actions for our discreetly presented component unit, Luna Community College Foundation (LCC Foundation). LCC Foundation does not have federal funds in excess of $750,000. The finding is numbered consistently with the numbers assigned in the schedule. FEDERAL PROGRAM INFORMATION: 2022-005 – Return of Title IV Funds (Other Non-Compliance) Funding Agency: U.S. Department of Education Title: Student Financial Assistance Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Award Year July 1, 2021 to June 30, 2022 Compliance Requirement: Special Tests and Provisions CONDITION: In our test work over the Return of Title IV funds, we noted the following noncompliance: In 3 out of 9 students examined totaling $1,733, the College did not return the funds to the Department of Education in the required 45 days after the withdrawal date of the student.CRITERIA: According to 34 CFR 668.173(b), return of Title IV funds are required to be deposited or transferred into the Student Financial Assistance account or electronic fund transfers initiated to the Education of Department as soon as possible, but no longer than 45 days after the date the institution determines that the student withdrew.QUESTIONED COSTS: None EFFECT: The College returned Title IV funds to the Department of Education later than the timeframe required by the program requirements. CAUSE: The College was late in sending the returned funds to the Department of Education for a few of our samples examined because the City of Las Vegas was under a fire emergency due to Calf Canyon/Hermit Peak Fire. Upon return to the College offices, it was noted some of the funds to be returned to the Department of Education had not been processed. RECOMMENDATIONS: We recommend that the College policies and procedures to ensure that it regularly checks any student withdrawals and ensure that they send the Return to Title IV funds within the 45 day requirement. MANAGEMENT’S RESPONSE: The College acknowledges the auditors' comments and has taken steps to address the findings. The college’s Financial Aid department has experienced key staff turnover. In FY23, the college contracted with Attain Partners, a third-party service provider, to enhance our policies and procedures, ensuring alignment with best practices and compliance requirements. Attain, with college staff, are conducting a thorough review of the processes used by the Registrar, Bursar, and Financial Aid Office to improve coordination and the timely reporting of R2T4s. RESPONSIBLE PARTY/TIMELINE TO CORRECT: The Return to Title IV (R2T4) policy and procedures will be updated as necessary to remain current, and all staff will be informed of any revisions. The Interim Vice President of Student Services and the Interim Chief Financial Officer, working with Attain contractors, will review and update R2T4 policies by September 30, 2024. Due Date of Completion: September 30, 2024 Responsible Party: Dr. Loretta Montoya If the U.S. Department of Education has questions regarding this plan, please call me at 505-235-1755. Respectfully, Loretta Montoya Dr. Loretta Montoya Interim CFO

A. Comments on Findings and Recommendations: We agree with the finding and recommendation. B. Actions Taken or Planned: The Institution has reviewed the details of the finding and determined the error to be an isolated instance due to human error. The Institution returned $268 to the Federal Pell Grant Program on behalf of student #AR8. Student AR8 failed a class/module for the payment period in a non-standard program. On the Return of Title IV (R2T4) calculation, the payment period ending date should have been extended by an additional class/module. File Review will be added to the final review of all R2T4 calculations prepared for non-standard term programs. If the academic transcript includes repeat classes/modules, payment periods used in the calculation will be reviewed for accuracy.

Timely Submission of Enrollment DataEVMS has implemented a new student information system to assist with managing student data and enrollment reporting. The EVMS Information Technology developed a new report that will be automatically generated every Monday to show any status changes that occurred in the previous week. This report will be emailed every Monday to several areas, including the Registrar?s Office and Financial Services. The Registrar?s Office will reconcile the enrollment report that is sent to the National Student Clearinghouse every week to ensure the changes are being properly updated in the report. Enrollment reports will continue to be processed on a monthly basis to the National Student Clearinghouse which will be then sent to the National Student Loan Data System (NSLDS).Financial Services will serve as a secondary review after the fact for all students who have had a status change to go on a leave of absence, withdraw from EVMS, return from a leave of absence, or graduate off cycle. Financial Services will check NSLDS around 30 days after the change has occurred to ensure that the last enrollment report information is accurate and up to date. If there are any discrepancies with the status or last date of attendance, Financial Services will reach out to the Registrar and the Director of Financial Aid. The Director of Financial Aid will update the student?s record directly in NSLDS and the Registrar will ensure that the update is on the next version of the enrollment report so that it does not override the manual update.EVMS Financial Aid and Financial Services drafted a new policy to address the requirements and timing related to notifications of a status change for students. Once approved, the policy will be distributed to all departments impacted and training will be scheduled with responsible parties.The contact person for this finding is David Golay, Registrar.

Finding 2022-001Federal Program InformationFederal Agency: United States Department of EducationAssistance Listing Nos.: 84.063 and 84.268, Student Financial Assistance ClusterAward Periods: July 1, 2021 through June 30, 2022, and July 1, 2022 through June 30, 2023Corrective Action PlannedMayo Clinic Information Technology will work with the Student Financial Aid office to review the risk rating of the Banner application. A complete user access review based on job roles will be completed for 2023. To improve the speed and accuracy of the completion of these requests, we will be working with the Identity Management Platform team to add the Banner application into SailPoint for access management and review.Persons Responsible for Corrective ActionAlec Haws, ETC Education Application Analyst Raj Sanwal, Lead IT Analyst/ProgrammerTarget Completion DateOctober 31, 2023

Foster Care Eligibility Controls Not Completed in a Timely MannerState Agency: Department of Health and Human ServicesFederal Program: Foster Care Title IV-EThe Department concurs with this recommendation. The agency is in the process of building an integrated eligibility team and will increase its capacity by having three team leads and one support coordinator III to support the eligibility review process.Anticipated Correction Date: June 30, 2023Contact Person: Tracy Wiggill, Eligibility Program Manager, twiggill@utah.gov

CORRECTIVE ACTION PLANAudit Period: September 1, 2021, to August 31, 2022Finding 2022-001: Student Financial Assistance Cluster- Calculating Return of Title IV FundsThe Institution relied on their previous 3rd party servicer who processed their R2T4 forms. The Institution was not satisfied with their services and terminated that company and subsequently hired a new 3rd party service provider. It was discovered during the transition of service providers, that 2 of the R2T4 forms in our sample were not correctly calculated by their previous third-party servicer.Recommendation:We recommend the institution to update the incorrect R2T4 worksheets and follow up accordingly as required and to work with their new 3rd party service provider to determine effective dates at which 60% completion is achieved during each enrollment session.Management Response:Management agrees with the finding and will implement the recommendations immediately.Action Taken or Planned:Management has met with their current 3rd party service provider and have corrected the incorrect R2T4 worksheets and will follow up as required. Management has also met with their 3rd party service provider to determine effective dates at which 60% completion is achieved during each enrollment session.

STUDENT FINANCIAL ASSISTANCE CLUSTER FINDINGSFINDING 2022-003 - Internal Control over Compliance (Repeat Finding 2021-003, 2020-001, 2019-002, 2018-003, 2017-002, 2015-002, 2014-008)ResponsesNSHE Overall response/context ?NSHE increased its dialogue amongst the three instances of the student information system throughout fiscalyear 2022. The results of this robust dialogue led to additional controls to reduce related IT risks, enhancedmonitoring of activities, and targeted periodic reviews, highlighted in each instance?s response below. Theseenhanced techniques operating throughout the entire fiscal year ahead, should provide a stronger overall controlenvironment and lower associated risks.UNR ?? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place;UNR has implemented controls to address the risk associated with the PeopleSoft Administrators(PSA?s) access to the production and development environments. The controls include:1. The University will remove the PSA role for the three individuals that are identified as not havingthe appropriate segregation of duties. The PSA role is still required of the University and will onlybe granted on a temporary basis when necessary and this access will be, documented, monitored,and deactivated upon completion of the required tasks.a) Approvals ? A PSA role is granted for task specific business needs and when the individualssecurity level does not permit the action to be performed. When justified, the PSA role isgranted by a security administrator.b) Documented ? When the PSA role is granted a notification is triggered to the Associate VicePresident, Planning, Budget and Analysis, the Registrar and the Director of AccountingOperations as to the role assignment and the person assigned.c) Monitored ? The activities performed are documented and monitored in a TeamDynamixticket.d) Deactivated ? The PSA system access is deactivated upon completion of the required activity.The deactivation is documented in the TeamDynamix ticketing system.2. The University will implement a quarterly User Access Review that identifies the incidences ofwhen the PSA role is granted and when the PSA login occurs and compares this to Team Dynamixto establish the activity. The activity can be compared to the system for validity. This will beperformed by the Registrar. 3. The University will continue to explore and research Change Control Systems as options tomonitor activities of the PSA?s.? How compliance and performance will be measured and documented for future audit,management and performance review.The PSA role will not be established for continuous periods of time. When the PSA role is temporarilygranted it is documented and tracked in Team Dynamix. This provides an audit trail of role access,timeframes of logins, and activities.? Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted.The Associate Vice President, Planning, Budget and Analysis will monitor the compliance with thecorrective action plans and will implement new processes as needed to meet the needs of mitigatingthis risk and the system updates and changes.UNLV ?UNLV agrees with this finding.? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place;UNLV understands the importance of adequate segregation of duties within the PeopleSoftenvironments and applications. The PeopleSoft Administrator (PSA) position that is the subject ofthe finding is responsible for the installation, configuration, upgrades, and troubleshooting of all theapplication environments. The PeopleSoft Administrators are not programmers/developers, andtheir access to the production environments is periodically required to perform the needed activitiesrequired to provide timely support of the application within the scope of their job duties.UNLV has implemented the following controls to mitigate the risks associated with the elevatedaccess required for the administrators to perform their required support activities.a. UNLV will remove the PeopleSoft Administrator role from all PSAs in productionenvironments.b. The PeopleSoft Administrator role will be assigned temporarily when elevated actions arerequired. The assignment will have the following requirements:i. Be limited in duration.ii. Document a justification detailing the need and actions to be performed.iii. Generate notification to the Director of Enterprise Applications.iv. Automatically be removed.v. It is reviewed as part of normal audit activities. c. UNLV will increase their reviews of access, activities, and assigned privileges to monthly forthe PeopleSoft Administrators.d. UNLV will continue researching and implementing other control methods to address thesegregation of duties while providing appropriate service and support.? How compliance and performance will be measured and documented for future audit,management and performance review.The PeopleSoft Administrator role will no longer be a persistent assignment to the PSA position.UNLV will perform monthly reviews of the access and activities to determine if the PeopleSoftAdministrators' current levels require further refinement. Additionally, UNLV will continue toresearch other control methods that will address the segregation of duties while providingappropriate service and support.? Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted.The Director of Enterprise Applications will be responsible for reviewing the access needs of thePeopleSoft Administrators. The Director will complete the reviews and is also accountable if repeat orsimilar observations are noted. The Chief Information Security Officer will verify the reviews are permonthly audit practices.SCS ?? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place;PeopleSoft Administrator (PSA) access to the Production and Development environments arereviewed on an ongoing basis. Due to the need to develop and perform program changes for all fiveshared-instance Institutions on a frequent basis it was determined that PSA access cannot be reducedany further. However, to address the segregation of duties risk the following compensating controlsare in place:(a) STAT for PeopleSoft ? Code control and internal modification tracking provides visibility over PSAactivities that are processed via this tool. These object changes are reviewed and approved by theDirector of Information and Application Services.(b) JIRA - Change control management and project tracking software. Change requests and projectsrelated to the PeopleSoft shared instance are tracked and approved. This would include user accessmodifications and system updates for example.(c) Security e-mail alerts ? The SCS security team are alerted via automated e-mails when user access(to include PSA roles) is changed.(d) User Access Reviews ? On an annual basis a user access review is performed incorporatingSCS/SA privileged users and all shared instance security coordinators SCS will implement the following additional control from FY22/23 going forward:(e) Splunk reporting and monitoring ? Reporting and trigger events developed incorporating PSAactivity ?anomalies?. For example, PSA after-hour logins reviewed and matched to plannedupdates/activities.(f) Periodic management reviews ? A formal review incorporating, and documenting PSA andassociated exception activities will take place. Where appropriate this will include approvals anddocumented rationale.SCS will continue to explore additional solutions to minimize the segregation of duties risk, especiallyas it relates to the monitoring of PSA activities.? How compliance and performance will be measured and documented for future audit,management and performance review.The periodic management review where appropriate will include documentation and approvals tosupport PSA activities that do not meet established criteria. This review will also document anyfollow-ups required as it relates to similar controls. For example, security e-mail alerts.? Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted.SCS Director of Information and Application Services, SCS Security Group.

FINDING 2022-004 - Special Tests and Provisions: Return of Title IV funds for withdrawn students(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)ResponsesCSN?? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place.All student accounts needing an R2T4 that require a date adjustment due to a gap between the lastdate of attendance for one course and the start of a new modular course will be reviewed by a secondindividual on the R2T4 processing team. This will ensure that the institution counts the correctnumber of complete days for the calculation when there is a gap in enrollment and a schedule breakof five days or more. These measures will be in place beginning October 15, 2022. Due to the error,the student will be made whole using institutional funds.? How compliance and performance will be measured and documented for future audit,management, and performance review.CSN will notate student accounts that must be reviewed as processors come across them. Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted.The Assistant Director of Financial Aid will be responsible and may be held accountable if repeat orsimilar observations are noted.UNLV?UNLV agrees with this finding.? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place:For context 1 (summer 2021), the student withdrawal occurred in FY 2021, with funds returned inAugust. This coincides with our 2020-2021 audit review, at which time many of the controlsdescribed in our response to findings for that year were in their early stages. Since summer 2021none of the identified issues that led to late fund returns have recurred.For context 2 (spring 2022), funds were returned one day late due to a failed transmission to theCommon Origination and Disbursement (COD) system. Normally when transmissions occur, anyrejected records are reviewed by the following day, in part to ensure that returns of funds are timely.In this particular instance, the file failed entirely and was never transmitted to COD at all, andtherefore no record was received of a file reject. Fortunately our own internal reconciliation controlsidentified the issue before even more time had passed.We regularly review records of when fund returns are processed in PeopleSoft to ensure reporting toCOD occurs within 45 days. In addition to our record of the PeopleSoft return date, we will nowtrack a second date to mark when the return record is accepted and reflected in COD. Thiscorrective action has been implemented as of October 10, 2022, and a review of fall 2022 R2T4returns to date indicates that all returns have been made within the 45-day timeframe.? How compliance and performance will be measured and documented for future audit,management and performance review:Steps taken in prior years, including expanded training around R2T4, the addition of a staff memberto support the R2T4 process, and increasing internal controls, have been successful in remediatingthe issues that were previously identified. To control for the file transmission issue, the correctiveplan will be monitored by both the Assistant Director for Financial Aid Processing and the ExecutiveDirector of Financial Aid & Scholarships on a weekly basis. Notes from these reviews will berecorded for future audits. Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted:The Assistant Vice President for Admissions & Financial Aid and the Executive Director forFinancial Aid & Scholarships will be responsible for ensuring ongoing compliance.