Corrective Action Plans

Condition: The University did not timely notify student or parent within 30 days of crediting the student’s account with FDL. Planned Corrective Action: When posting direct loans to the student’s account, we add a touchpoint to the student’s record. This automatically sends an email to the student. We will mail a notification to the parent in the case of a Parent PLUS loan. Contact person responsible for corrective action: Nicole Neal Anticipated Completion Date: 11/01/2023

Condition: Shawnee State University did not report student status changes timely and accurately for certain students who withdrew during the year. Planned Corrective Action: Shawnee State University will perform a comprehensive review of reporting procedures (including review of reporting process, personnel responsibilities, system modifications) and make revisions to workflow to prevent future occurrence of this finding. A review of activity prior to implementation of revised procedures will be conducted and any exceptions will be documented and corrected. Contact person responsible for corrective action: James Farmer, Chief Enrollment Officer and Greg Ballengee, Chief Financial Officer Anticipated Completion Date: 12/31/2023

Condition: The University did not return Title IV funds to the Department of Education within the required time frame for certain students who required a return of funds, and it did not initially identify all students who required a return of Title IV funds. Planned Corrective Action: Shawnee State University will perform a comprehensive review of financial aid procedures (including review of financial aid processing, personnel responsibilities, system modifications) and make revisions to workflow to prevent future occurrence of this finding. A review of activity prior to implementation of revised procedures will be conducted and any exceptions will be documented and corrected. Contact person responsible for corrective action: James Farmer, Chief Enrollment Officer and Greg Ballengee, Chief Financial Officer Anticipated Completion Date: 12/31/2023

The District has taken responsibility for providing the Department of Education with the website link and will provide that going forward. Personnel Responsible for Implementation: Nyame-Tease Prempeh Position of Responsible Personnel: Assistant Director of Accounting Expected Date of Implementation: November 1, 2023

A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer

A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023

The District believes this error was an isolated incident and the effect is minimal as we performed an extensive review of all nine campuses’ Pell grant award disbursements for the term and found that this was the only similar award. The District will monitor disbursements and will perform reconciliation on a monthly basis. Personnel Responsible for Implementation: FA Office and the Central Financial Aid Unit. Position of Responsible Personnel: FA Managers Expected Date of Implementation: Already Implemented

Views of Responsible Officials and Planned Corrective Actions – The National Student Clearinghouse (NSC) Graduation Status submission calendar will be updated to reflect the necessary reporting timeline. The report will be completed after verification of graduation requirements and credentialing are completed in Colleague by the Registrar's Office. The Registrar and Associate Registrar complete different steps in the credentialing process, but will review the student records together to ensure accuracy and timely completion. Submission of graduation status to NSC will occur after each academic term (fall and spring semester, January and summer sessions).

Recommendation Test work on samples from both Portales and Roswell populations resulted in the identification of two possible issues related to incorrect calculations of aid to be returned to federal aid programs based on student’s complete withdrawal from the University. Contact was made with Ellucian/Banner customer support regarding the issue. Ellucian customer care subsequently verified a known issue within vendor software where the R2T4 calculation is incorrect when manual award adjustments or ‘locks’ are made to students who were not enrolled as full-time students when originally disbursed.   Management Response Corrective Action: In an immediate review of all students subject to return of funds calculations in both Banner instances for the 2022-2023 award year it was found that of the 322 (213 Portales/Ruidoso, 101 Roswell) students subject to Return of Title IV Funds, 17 students were identified where the calculation was incorrect, manual recalculation of funding is ongoing and will be handled within allowable timeframes with the business office. Although the software defect is present in both instances of banner no students at the Roswell campus were impacted as a result of procedural differences. Timeline of Corrective Action: Effective immediately the institution has implemented the recommended software vendor “work around”. In addition, all students enrolled less than full time will be monitored and calculations confirmed to ensure calculations are accurate. Responsible Party(ies): Financial Aid Directors – Portales and Roswell Campuses

Student Financial Assistance Cluster – Assistance Listing No. 84.268, 84.063, 84.007, 84.033, 84.379 Recommendation: We recommend that the University implement procedures to ensure that enrollment data, changes in status and effective dates within NSLDS match the records of the institution and are reported timely. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: EOU’s third party vendor, National Student Clearinghouse, has notified EOU of an additional reporting tab where a list of students who were on our degree report that was submitted, but for various reasons did not have a “Graduate” status applied to their record can be obtained. The Registrar’s office will access the report and manually update the student’s record. Moving forward, after our degree file is processed each term, we will review the students listed in this tab and manually update their status to match our records, so they will correctly and timely report to the National Student Loan Data System. Name(s) of the contact person(s) responsible for corrective action: Emily Sharratt Planned completion date for corrective action plan: February 9, 2024

Student Financial Assistance Cluster – Assistance Listing No. 84.063 Recommendation: We recommend the College review the current procedures for awarding Title IV funds and implement any changes necessary to ensure federal funds are awarded and disbursed in accordance with federal regulations. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Upon discovering that a student’s remaining Pell Grant LEU had not been rolled forward to the next term, it was immediately recalculated and disbursed. The process for calculating Pell is done in batch after each term has ended. Financial aid has added a reminder once per term to verify internally that the process has been run for the previous term, and any students with low LEU get their remaining eligibility rolled forward. If it has not been run, monitoring will continue until it is completed. Name(s) of the contact person(s) responsible for corrective action: Jason Hibbert Planned completion date for corrective action plan: March 22, 2024.

Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: A GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. The University's Information Security Program and IT policies has four attributes that were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Corrective Actions Taken or Planned: Items that have been resolved: a. Customer data, and backups of customer data, is now encrypted at rest and in transit. b. All users with access to customer data are required to use multi-factor authentication.c. The University password policy has been updated to strengthen passwords and increase minimum length to 12 characters with complexity. The University has also implemented a tool to block the reuse of compromised passwords from the HIBP database. Items to be resolved: a. An update on the University’s information security program draft has been shared with the Board of Trustees and a final report will be issued by February 1, 2024. b. The University has begun an inventory of customer data and systems storing customer data. The University does not have any University developed apps that handle or store customer data (this will be documented in the customer data inventory). This inventory will be completed by April 15, 2024. c. The University is evaluating proposals for an assessment to include a risk assessment and internal and external vulnerability scans. The IT risk assessment is planned to be completed by June 1, 2024. d. Updated GLBA policies, including a disaster recovery policy, will be completed by June 1, 2024 Person Responsible for Implementing Correction Action: Ezra Krumhansl, Chief Financial Officer Implementation Date: Through June 1, 2024

The University will add additional enrollment reports to our current schedule. This will allow for more frequent degree and enrollment reporting that will correct this type of reporting error in the future.

Subject: Corrective Action Plan for Title IV Federal Financial Aid Audit Finding Responsible Party: Jill Jonhson, Registrar, johnsoj@smcsc.edu 864-587-4232 We appreciate the opportunity to address the finding related to the untimely reporting of withdrawn and graduated students to the National Student Loan Data System (NSLDS) during the recent Title IV Federal Financial Aid audit. We acknowledge the importance of accurate and timely reporting and have taken immediate corrective actions to rectify the identified issue. 1. Root Cause Analysis: Upon investigation, we identified that the finding was a result of a recent change in the software system used for reporting data to the National Student Clearinghouse (Clearinghouse) which in turn is reported to NSLDS. This change led to a disruption in the timely reporting of students who withdrew or graduated from our institution. 2. Immediate Correction: As soon as the error was identified, our IT team worked promptly to update the system configuration. This correction ensured that all relevant data for withdrawn and graduated students was accurately pulled and submitted to Clearinghouse and NSLDS. 3. Verification and Submission: We have thoroughly reviewed the data to ensure that all students who withdrew or graduated during the audit period have been correctly reported to Clearinghouse. Subsequently, accurate information has been submitted to the NSLDS to fulfill reporting requirements. 4. System Enhancement: To prevent similar issues in the future, we have enhanced our system configuration. This includes implementing additional checks and validations to ensure that the reporting of withdrawn and graduated students is consistently accurate and timely. Our IT team, the Registrar's Office, and Financial Aid Director have conducted rigorous testing to verify the effectiveness of these enhancements. 5. Monitoring and Oversight: Going forward, we will establish a robust monitoring and oversight mechanism to regularly review the data reporting process. This proactive approach will help identify and address any potential issues before they impact compliance with NSLDS reporting requirements. We are confident that the corrective actions implemented will prevent a recurrence of this issue and enhance the accuracy and timeliness of our NSLDS reporting. We remain committed to maintaining the highest standards of compliance with federal regulations and appreciate your understanding in this matter.

Management is responsible for establishing a comprehensive information security policy to safeguard sensitive data. Personnel Responsible for Corrective Action: James Nelson, Chief Technology Officer, and Scott Fergerson, Chief Business Officer Anticipating Completion Date: The corrective action plan will be implemented by June 30, 2024. Corrective Action Plan: Management will continue to implement the remainining compliance required into a comprehensive policy.

Name of Responsible Individual: James Slizewski, Registrar and Director of Institutional Research Corrective Action: The University will make sure that all students who earn a “G” status of graduated are reported correctly to National Student Clearinghouse, and then to NSLDS. This will include all students who are in certificate programs that earn a credential and are graduated. Anticipated Completion Date: Fall 2024

Name of Responsible Individual: Jane Wang, Controller and Melissa Walsh, Director of Financial Aid Corrective Action: Students are awarded Federal Work Study based on financial need and their indication on the FAFSA that they are interested in Federal Work Study. Sometimes, students indicate they are not interested in Federal Work Study but end up pursuing campus employment. In these cases, we have re-allocated some students’ earnings to Federal Work Study if they remained eligible. Beginning with the 2024-2025 school year, all eligible students will be awarded Federal Work Study, regardless of their expressed interest. This will minimize the need to re-allocate funding between campus employment and Federal Work Study funding sources. Additionally, the Payroll department will enhance scrutiny and review within the federal work-study payroll process to ensure timely receipt of supporting documents for re-allocation and rectification of any errors before payroll processing. Anticipated Completion Date: Fall 2024

Name of Responsible Individual: Melissa Walsh, Director of Financial Aid Corrective Action: Campus Logic is used to send financial aid award letters to full-time undergraduate students. Part-time and graduate students fill out an institutional application, upon which their financial aid is based. These students have typically been sent an email directing them to view their aid on the Self-Service portal when their application has been reviewed. Through Self-Service, students have the ability to accept or decline their loans. Starting with the 2024-2025 school year, an award letter will be sent from Campus Logic to this population as well. They will no longer be sent an email directing them to Self-Service. Anticipated Completion Date: Fall 2024

Name of Responsible Individual: Sarah Tomlinson, Director of Student Accounts Corrective Action: Changing from manually pulling loan disbursement lists from the Ellucian Colleague system using the TFAR report to setting up Communications Management within the Colleague system so that the notifications are automatically emailed, and no manual intervention is needed. Working with our Information Technology services. Anticipated Completion Date: Spring 2024

Condition: Sinclair Community College did not report student status changes timely and accurately for certain students who withdrew and graduated during the year. Planned Corrective Action: Sinclair Community College will perform a comprehensive review of Enrollment Reporting to the National Student Loan Data System by way of the National Student Clearinghouse. This will include a review of enrollment reporting processing, personnel responsibilities, system modifications, and make all necessary revisions to workflows to prevent future occurrence of this finding. A review of activity prior to implementation of revised procedures will be conducted and any exceptions will be documented and corrected. Contact person responsible for corrective action: Dr. Tina L. Hummons, Registrar, Office of Registration & Student Records Anticipated Completion Date: 12/31/2023

Management understands this finding and has made all corrections to the identified records. The University will review and revise procedures where necessary, specific to the withdrawal of students and the updating of records in NSLDS, to act with certainty so that dates match across all areas of campus and that the program withdrawal date is updated along with the financial aid withdrawal date.

Management understands the finding and has already established new procedures for the required monthly reconciliation. The reconciliation process will be comleted each month upon receipt of the SAS. The Financial Services Office will use a PowerFAIDS consultant to update settings in the PowerFAIDS system so that all SAS reconciliation documentation will be kept as opposed to deleted after 90 days. A complete reconciliation of 2022-2023 Title IV aid will be done to ensure accuracy of all aid.

Management has maintained communication with the ESF Reporting Helpdesk. Year Three remains closed at this time but should it be reopened Management will provide the additional data requested. In June 2023, the remaining grant funds were drawn down and a quarterly report was both submitted to the Department of Education and posted to the College’s website. The Fourth Annual Report covering the calendar 2023 reporting period will be due in early 2024. This will be the final report as both the Emergency Financial Aid and Institutional grants are now closed. Management will complete and submit the annual report when the website is functional.

The auditors observed the following conditions in connection with our testing of the various U.S. Department of Education, Title IV, Student Financial Assistance Programs. • The College had differences in the following programs, which were not reconciled to the general ledger: Federal Pell Grant and Federal Direct Student Loans. The college should implement corrective actions to ensure that the above findings are resolved and will not reoccur in future periods. The College’s Corrective Plan: The College accepts the auditor’s recommendations and will establish procedures going forth to ensure that Financial Aid and Business Office staff identify and correct any differences between the programs and the general ledger.

2023-002 Student Financial Assistance Cluster – Federal Assistance Listing Numbers 84.063, 84.268 Recommendation: We recommend the College evaluate its policies and procedures in overseeing submissions to the NSLDS. In addition, we recommend the College review its policies and procedures on reporting enrollment information to the NSLDS to ensure all relevant information is being captured on reports utilized to submit data to the NSLDS. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The Registrar’s office has contacted the SIS vendor, Ellucian, to report this issue. Ellucian has acknowledged that the inconsistency in the graduation dates is a result of a defect in the software. They have created a defect report to this effect. The Registrar’s office will spot-check graduation dates on the NSC report. The Registrar’s office will also research the feasibility of standardizing graduation dates across the board. This would entail additional manual intervention which the office is striving to move away from. Names of the contact persons responsible for corrective action: Usha Jenemann, Associate Registrar and Kristen Smith, Registrar Planned completion date for corrective action plan: Fall 2024