Corrective Action Plans

Management View and Corrective Action Plan Finding Number: 2024-001 Grantor: Department of Education Program Name: Federal Pell Grant Program Award Year: 7/1/2023 - 6/30/2024 Award Number: P063P230300 Assistance Listing Numbers: 84.063 Management concurs that it made an overpayment in the amount of $1,335 in the Federal Pell Grant Program. The following controls will be added to ensure that overpayment does not occur in the future. 1. Training will be provided to individuals involved in the process to ensure that changes made to financial aid packages are appropriate and in accordance with requirements. 2. The R2T4 checklist used for all students with federal aid who withdraw mid-semester will be updated with a reminder to check the Pell Offered/Accepted/Paid amount prior to locking the funds to ensure the amounts are the same. 3. The Office of Financial Aid (OFA) will explore the possibility of developing a report that will check all Pell recipients, within a given year, for discrepancies between Offered/Accepted/Paid Pell amounts in Banner on a monthly basis. If a discrepancy exists, OFA staff will review and adjust as necessary in a far more timely manner. Management expects to implement these controls during the Spring 2025 term. Kelli Perry Associate Vice President for Finance and Controller

NSLDS Reporting Errors Planned Corrective Action: Management agrees with this finding. The Registrar's Office has already resolved the system issues that were created by a new process for SP24 that created errors and resulted in students left off enrollment reports. The Registrar has successfully implemented a process to ensure consistency in reporting that can be shown through our submitted reports post Fall of 23'. Prior to each submission, the Registrar now performs a spot check by pulling a SIS enrollment report which helps to cross-reference and confirm the data. Additionally, the Registrar will select 10 random records from the enrollment file for detailed verification of accuracy, and correct any necessary records prior to submitting to NSC. The Registrar has identified some discrepancies between what is reported to NSC and what is pulled by NSLDS and are in the process of collaborating with CIU's IT team to investigate and resolve these issues promptly. Person Responsible for Corrective Action Plan: Elizabeth Haselden, Registrar; Joy Brown, Degree Audit and Data Specialist Anticipated Date of Completion: May 31, 2025

Inaccurate and Untimely Returns of Title IV Funds (R2T4) Planned Corrective Action: Management agrees with the finding. The Registrar’s Office and the Financial Aid Office met on 12/17/24 to discuss the discrepancy between withdrawal dates used by Fin Aid and those used by the Registrar’s Office. It was agreed that LDA and withdrawal date should be the same date for students who officially withdraw and students that are dropped due to non-participation. It was agreed that the Registrar Office would notify the Financial Aid Office of students who are administratively dropped for non-participation in a timely manner. We also agreed that we should meet at least quarterly to review our procedures and communication between offices. The Associate Director and the Director will both review the calendar set-up dates used for R2T4 calculations in our POEs to insure the correct term dates are entered. The Associate Director has now moved her undergrad online caseload to another counselor so that she has more time to focus on her primary roles of processing R2T4s and disbursing aid. Person Responsible for Corrective Action Plan: Elizabeth Haselden, Registrar; Joy Brown, Degree Audit and Data Specialist; Laura McCall and Martha Lewis, Fin Aid Associate Directors; Patty Hix, Fin Aid Director Anticipated Date of Completion: May 31, 2025

Views of Responsible Officials and Planned Corrective Actions Clearinghouse reports are from the college’s student information system (SIS). Though the student’s withdrawal was processed and entered in the SIS in a timely manner, the system categorized the student as "less than half time” because of a passing grade in a course from which the student was exempted due to passing a proficiency test. The SIS did not change the student status to withdrawn until the semester ended, which was more than 60 days beyond the withdrawal date. Action Taken/Planned: The college’s Business Office maintains an online spreadsheet list of withdrawn students outside of the SIS that is updated when a student withdraws from the college. The list has been shared with the personnel responsible for the Clearinghouse reports. Personnel will monitor the withdrawal listing and verify that all withdrawn students are accurately categorized in the Clearinghouse report from the SIS before completing the submission. Anticipated Completion Date/Date Completed: November 18, 2024

Finding Reference Number: 2024-004 Initial Fiscal Year: 2023 Summary of Finding: Significant Deficiency: Disbursement Notifications (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; U.S. Department of Education, Teacher Education Assistance for College and Higher Education Grants, ALN #84.379) (Repeat Finding: 2023-005) In accordance with 34 CFR 668.165(a)(2), when a University credits a student’s account, the University must notify the student or parent of (i) the anticipated date and amount of the disbursement, (ii) the student’s or parent’s rights to cancel all or a portion of that loan or disbursement, and (iii) the procedures and time by which the student or parent must notify the University that he or she wishes to cancel the loan or disbursement. This communication must occur no earlier than 30 days before, and no later than seven days after, crediting the student’s ledger account at the institution if the institution does not obtain affirmative confirmation from the student. During the 2024 audit, it was noted that 13 of 38 students, or 34.2%, who had received Direct Loan funds and/or TEACH grant funds did not receive disbursement notifications due to a system failure. The failure was not noticed to be able to remedy the situation timely. The University should ensure system functionality periodically, specifically entering periods in which disbursements are concentrated, such as the beginning of the semester, to prevent lapses in mass. The University should also create a process to verify that disbursement notifications have been distributed as intended, so that any missed notices can be remedied timely. Entity’s Corrective Action Plan Corrective Action Plan Summary: The University has taken a comprehensive and proactive approach to address this issue through two key initiatives. First, we have instituted a robust audit process designed to ensure the integrity and functionality of the system responsible for documenting sent emails. This process enables us to systematically verify that the system is operating as intended. Second, we have deployed advanced software solutions that serve to mitigate the risk of similar issues arising in the future. These combined measures reflect our commitment to ensuring operational reliability and preventing recurrence. Anticipated Completion Date: October 1, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid

Finding Reference Number: 2024-003 Initial Fiscal Year: 2024 Summary of Finding: 2024-003 Significant Deficiency: Direct Loan Limits (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) In accordance with the Federal Student Aid Handbook, Volume 3, Chapter 3, you must determine an undergraduate student’s Pell Grant eligibility before originating a Direct Subsidized or Unsubsidized Loan for that student, and you must package Campus-Based funds and Direct Subsidized Loans before Direct Unsubsidized Loans. In addition, you must determine an undergraduate student’s maximum Direct Subsidized Loan eligibility before originating a Direct Unsubsidized Loan for the student. The student’s maximum annual loan limit increases as the student progresses to higher grade levels. During the audit, it was noted that the University did not fulfill maximum award of students’ Direct Subsidized Loan eligibility prior to awarding Unsubsidized Direct Loans for 3 of the 32 applicable students tested, which is a 9.4% error rate. This finding is monetary in nature. In the instances noted in testing, the total error is $5,983 in under-award. Extrapolation of this monetary error estimates a total potential error of $54,614. The University should institute processes and controls to ensure that the student eligibility is assessed properly based upon grade level progression and that maximum Subsidized Direct Loans are awarded prior to Unsubsidized Direct Loans, as this practice is more beneficial for the student. Entity’s Corrective Action Plan: Corrective Action Plan Summary: The University has determined that this finding was caused by a deficiency in the software’s calculation of the subsidized award. Specifically, the software failed to update the student’s records following changes in circumstances that impacted the calculation of financial need. In response, the University has conducted a thorough evaluation and implemented new software designed to address this issue and ensure accurate calculations in future cases. Anticipated Completion Date: November 1, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid.

Finding Reference Number: 2024-001 Initial Fiscal Year: 2023 Summary of Finding: Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-001) In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4 During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. An updated policy was put into place in July 2024, which addressed several of the deficiencies noted in the existing policy, but not all. The University should continue to update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively and timely. Entity’s Corrective Action Plan: The Johnson University IT Department has consistently worked to improve compliance with GLBA regulations since July 2023. The leadership of Johnson University has taken a proactive and measured approach to GLBA compliance that ensures a balance between reaching compliance quickly and reaching compliance with long-term strategic planning. This has led to a GLBA implementation that will take 2 or more years but will set up the university for long-term excellence in compliance and security. The University understands the importance of GLBA requirements and is committed to ensuring student data is protected from all foreseeable threats. It will continue to iterate on its GLBA corrective action plan to ensure proper compliance for long-term security. The Johnson University IT Department has developed a plan to address deficiencies in GLBA compliance in each of the following areas: Requirement 1 - Qualified Individual: 16 CFR 314.4(a) Johnson University has designated Tim Fisher as our Qualified Individual. Tim Fisher is an employee of Johnson University, serving in the IT Systems Analyst role, and will work alongside Johnson University’s IT Director to oversee the information security program and its implementation. While Tim has over 15 years of on-the-job cybersecurity experience, additional training resources have already been provided to Tim Fisher to pursue the CompTIA Security+ certification. Tim Fisher expects to complete the training and gain the certification by the end of 2025. This was deemed sufficient for GLBA compliance in the audit report provided by Blackburn, Childers & Steagall, PLC dated November 6, 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 2 - Risk Assessment: 16 CFR 314.4(b) Johnson University partnered with HORNE, a cybersecurity company, to conduct a risk assessment in November 2023. The assessment covered several topics and recorded inherent risk levels, existing mitigating controls, and the residual risk levels of each topic covered. Residual risk levels, the level of risk existing despite the existing controls, were found to be considered high in termination procedures and review of security logs. GLBA policy development and implementation decisions were based heavily on this initial risk assessment. A more comprehensive cybersecurity company with experience serving customers in Higher Education, DeapSeas, has been selected for ongoing cybersecurity assistance and will be conducting future risk assessments. Additional risk assessments are planned to be performed every 2 years to reexamine reasonably foreseeable risks and to account for changes in cybersecurity controls. The next risk assessment shall be completed by the end of 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 3.1 - Access Controls: 16 CFR 314.4(c)(1) Johnson University policy ensures that employee supervisors dictate appropriate access for each employee to the IT Department when they are hired or change positions. Supervisors are responsible for ensuring employees have appropriate access to locations where sensitive information is stored, such as file servers and Jenzabar (Student Information System) software access. The IT Department processes permission changes and does not provide permissions without explicit request from the employee supervisor. Auditing existing permissions is a weak spot that has, in the past, taken hours of manual work. We have purchased software, AD Manager, to assist with access reviews. We expect this software to be ready to audit necessary permission groups by the end of 2024. This should significantly reduce the time it takes to audit permissions through additional reporting and easy remediation features. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, instituting a continuous monitoring process undertaken at periodic intervals. The University has contracted with a new software to assist with this, which is expected to be live by December 31, 2024. Note from JU IT: Requirement 3.1, access control reviews, is complicated as each department supervisor is responsible for setting access permissions. The IT Department will need to engage department supervisors for review and approval. Due to the transition in the I.T. Director position, the expectation to be live should be adjusted to March 31, 2025. Requirement 3.2 – Data Identification: 16 CFR 314.4(c)(2) Informal identification has been completed by the IT Department through generalized asset inventory procedures. DeapSeas, our selected cybersecurity vendor, has been contracted to conduct a more formal data identification procedure in early 2025. This will identify critical items and analyze risks and responsibilities associated with each party. This procedure will take place through scanning the corporate network and interviewing departments on their data storage procedures. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Resolution to this matter is expected to be addressed and incorporated into the policy by December 31, 2024.” Note from JU IT: For requirement 3.2, data inventory, we’re already under contract with DeapSeas to do this. It will be completed by March 31, 2025. Requirement 3.3 – Encryption: 16 CFR 314.4(c)(3) Johnson University has had encryption in transit for several years but has not had encryption at rest. Johnson University purchased licenses to enable encryption at rest in October 2023 and finished a project to encrypt most virtual machines containing sensitive data using AES-256 and XTS-AES-256 encryption on April 29, 2024. The remaining virtual machines are planned to be encrypted before the end of 2024. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement.” Requirement 3.4 – Secure Development: 16 CFR 314.4(c)(4) Johnson University does not develop in-house applications for transmitting, accessing, or storing customer information. A combination of the risk assessment, vendor analysis, and penetration testing will assess the security of externally developed applications. The risk assessment has already been completed, but further vendor analysis and penetration testing are planned to be completed by the end of June 2025. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University does not develop in-house applications for transmitting, accessing, or storing customer information.” Requirement 3.5 – Multi-factor Authentication: 16 CFR 314.4(c)(5) Johnson University has enabled multi-factor authentication on all connections to the server where our student information system (Jenzabar One) is accessed. Multi-factor authentication is also enabled for all logins to Office 365 and integrated applications, such as Zoom videoconferencing, our student/employee portal, Jenzabar Financial Aid (financial aid management system), and Jenzabar Recruitment (admissions software). Multi-factor authentication is also enabled on connections to our administrative systems, such as our network firewall, hypervisor, door access control, and security camera management systems. With multi-factor authentication requirements for all these systems, we believe that multi-factor authentication is enabled on all critical systems to protect student information. Evaluation of low-risk systems, such as our classroom audiovisual systems, for feasibility of multi-factor authentication are ongoing and expect to be completed by the end of 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University utilizes multi-factor authentication on all connections to the server where student information system is accessed, as well as administrative and financial applications.” Requirement 3.6 – Data Retention: 16 CFR 314.4(c)(6) Organizational data retention policies, developed by the Finance Department, are currently in effect. These policies were originally written for other means but have some overlap with GLBA regulations. Evaluation of these policies for effectiveness is ongoing and expected to be completed by the end of 2024. Future evaluations for the effectiveness of data retention policies will take place every other year in a joint venture with the Finance and IT Departments. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Evaluation of organizational data retention policies for effectiveness is ongoing and expected to be completed by December 31, 2024. Note from JU IT: Requirement 3.6, data retention policies, will require collaboration between Finance and IT. Finance’s existing policies on data retention need to be enhanced. This just takes time and decisions from the CFO (how long to retain and when to delete – IT will be enforcing the policy technically). Evaluation will be completed by June 30, 2025. Requirement 3.7 – Change Management: 16 CFR 314.4(c)(7) Change management procedures have been discussed and official policies are being developed. Evaluation of security risk and risk of downtime or other degradation of service are being considered in change management procedures. Official policies should be in place in 2025. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. Official policies should be in place by December 31, 2024. Note from JU IT: A change management plan will be completed by March 31, 2025. Requirement 3.8 – User Logging: 16 CFR 314.4(c)(8) User logging is in place for all log-ins to Office 365 log-ins to its services and integrated applications. Microsoft Entra sign-in risk and user-risk policies are in place to enforce stronger security measures during sign-in, force password resets, or deny sign-ins altogether based on risk analysis. Sign-ins to on-premises resources are logged through new software, Log360, implemented in March 2024. Log360 analyses log-ins and sends notifications to IT Department technicians via email for suspicious activity. IT will then process these reports to take appropriate action to resolve the threat unless there is sufficient evidence of a false positive. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Office 365 user logging has been in place; sign-ins to on-premises resources was implemented in March 2024. IT has processes in place for addressing suspicious activity.” Requirement 4 – Security Assessment: 16 CFR 314.4(d)(1) DeapSeas, a cybersecurity vendor, has been chosen to conduct security assessments. A security assessment is planned for early 2025. Ongoing, internal security assessments are planned on an annual basis to be conducted by the IT Department. These assessments will assist in evaluating the effectiveness of existing controls and the ongoing development of the security program. Software has also been purchased and implemented for continuous monitoring of vulnerabilities within organizational software. The software, Vulnerability Manager, provides notice of known vulnerabilities and available patches for software installed on devices within our organization. These notifications are distributed through the software and through email. Automated and semi-automated patches are available through the software to be deployed to organizational devices over the internet. Patching known vulnerabilities within our software portfolio is a priority for us. This system should reduce overall risk and patch effectiveness will be verified with penetration testing. Our first annual penetration test is planned for early 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 5 – Security Training: 16 CFR 314.4(e) Security training has been made mandatory for all employees beginning in Fall 2024. Security training is done through our online video training platform, KnowBe4. This system allows for video, quizzes, and other learning material to be presented to the employees. KnowBe4 develops this content and ensures accuracy and appropriateness. Johnson University IT Department selects available materials and assigns them to employees. Security training was last updated after the initial risk assessment and will be reviewed every 6 months. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 6 – Service Providers: 16 CFR 314.4(f) Collection of SOC2 security reports from vendors that have access to systems with student information is in progress. The collection and analysis of these reports is expected to be completed by the end of 2024. Review of these reports is planned to be conducted annually, with requests for updated security reports every 3 years. \ Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 7 – Security Control Monitoring: 16 CFR 314.4(g) Security controls are being monitored using Log360 wherever possible. Continuous evaluation of these controls is underway and adjustments will be made to security controls as needed. New change management policies and penetration testing will influence the way we evaluate these controls and will likely include changes to monitoring systems and evaluation methods. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Anticipated Completion Date: Fall 2026 Name and Title of Responsible Person: Luke Edwards, Director of IT.

Finding Reference Number: 2024-002 Initial Fiscal Year: 2024 Summary of Finding: 2024-002 Significant Deficiency: Return to Title IV Funds (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; Federal Pell Grant Program, ALN #84.063) In accordance with 34 CFR 668.22(f), in the calculation of the percentage of payment period and/or period of enrollment completed, the total number of calendar days in a payment and/or enrollment period includes all days within the period, except that institutionally scheduled breaks of at least 5 consecutive calendar days and days in which the student was on an approved leave of absence are excluded from the total number of calendar days in a payment period and/or period of enrollment. During the audit, it was noted that the University used the incorrect number of completed days in the payment period or period of enrollment in calculating the percentage of the Title IV aid earned. The audit included a detailed testing of 5 withdrawal student files, of which this significant deficiency applies to 1, indicating an error rate of 20.0%. This finding is monetary in nature. In the instances noted in testing, the total error identified is $1,992 in over-award. Extrapolation of this monetary error was not necessary as the 5 withdrawal students tested as part of the 2024 audit constitute the entire withdrawal population for the period under audit. The University should ensure that the number of completed days in the payment period or period of enrollment are counted correctly utilizing the guidance provided by the Compliance Supplement and the Student Financial Aid Handbook. Entity’s Corrective Action Plan: Corrective Action Plan Summary: The University has determined that this matter constitutes a unique training situation involving the application of procedures related to the Return of Title IV funds. In particular, the University recognizes the need for enhanced training concerning the accurate counting of days when a student withdraws, provides written notification of their intent to attend a future module within the same term, and subsequently withdraws from that second module. The error in question arose from the miscalculation of days, where the University inadvertently counted all days in the initial module rather than counting only the days leading up to the student's initial withdrawal prior to the final withdrawal from the second module. This oversight was attributed to an individual employee, and the University has proactively implemented comprehensive training and procedural safeguards to prevent similar occurrences in the future. Anticipated Completion Date: August 01, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid.

Enrollment Reporting Recommendation: We recommend the College strengthen its review and reporting procedures for enrollment status changes to ensure timely and accurate updates to NSLDS. View of Responsible Officials and Planned Corrective Actions: The College acknowledges the errors in the reporting and is updating its procedures to ensure prompt communication of status changes. Staff will receive training to correctly handle student enrollment updates, and the institution will implement additional checks to avoid future errors.

Disbursements to or on Behalf of Students Recommendation: We recommend the College review its refund procedures and implement controls to ensure refunds are disbursed within the required time frame. View of Responsible Officials and Planned Corrective Actions: The College will review its internal processes for handling refunds and ensure that future refunds are processed within the 14-day window. Training will be provided to the responsible staff to improve compliance with regulations.

Contact person responsible for correction action – Michell Hall, CFO Anticipated completion date – June 30, 2024 Corrective action Sterling College agrees with the auditors finding regarding special reporting. We do not anticipate any issues with future reporting as we now understand the process for the reporting.

Contact person responsible for correction action – Mitzi Suhler, Financial Aid Director Anticipated completion date – June 30, 2024 Corrective action Sterling College agrees with the finding. Per our policy, we review enrollment reporting at the end of each term to ensure that students are getting reported accurately. We are doing everything we can to ensure compliance in this area. We will continue to be diligent about enrollment reporting and make sure we review carefully the dates that are submitted. We are still in the process of implementing our new software that will help with this process.

In order to prevent students from being missed in enrollment reporting, the College has enhanced its process to include a check and balance of the 100% refund report provided by the Registrar's Office on the first day of school against the 75% and 40% refund reports; this review will ensure that all exited students are reported as exited in the approporiate timeframe. The Exit list report has historically had a column where the Registrar records the date when the student information is submitted to NSC (National Student Clearinghouse). We have now added a new field to the Exit list report that Financial Aid will be responsible for entering the date at which confirmation is made that the data is correct in NSLDS. The FA Office will be responsible for checking the NSC and NSLDS to ensure all withdrawn students are reported accurately. Following the 40% refund period, the College's Student Success Committee will review a list of students at risk of exiting, and will confirm that any exits after the 40% refund period have been accurately recorded.

Student Financial Aid Cluster – Assistance Listing No. 84.063 & 84.268 Recommendation: We recommend that the College rebuilds the ‘Primary Program GT eForm’ to include a check that verifies all programs are not designated as Secondary. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Records staff now individually review each form submission to ensure a Primary program is appropriately assigned. In addition, a fix is being implemented to the District’s NSC file submission to verify students who have Primary and Secondary programs appear accurately. A cross-functional team has been established to create an audit report to scale NSC file submissions, as well. Name(s) of the contact person(s) responsible for corrective action: Laurie Grigg, Chief Financial Officer Planned completion date for corrective action plan: June 30, 2025

Student Financial Aid Cluster – Assistance Listing No. 84.063, 84.268, 84.007, 84.033 Recommendation: We recommend that the College verifies all withdrawal dates surrounding scheduled breaks. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The withdrawal date and student payment has been updated to reflect the appropriate calculation. Name(s) of the contact person(s) responsible for corrective action: Laurie Grigg, Chief Financial Officer Planned completion date for corrective action plan: June 30, 2025

JEVS HUMAN SERVICES AND AFFILIATES CORRECTIVE ACTION PLAN YEAR ENDED JUNE 30, 2024 FINDINGS – FEDERAL AWARD PROGRAM AUDITS (CONTINUED) U.S. Department of Education 2024-002 Significant Deficiency in Internal Control over Compliance Student Financial Aid Cluster: 84.007 - Federal Supplemental Educational Opportunity Grants 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans Condition: During the audit, we noted JEVS Human Service has gaps within their Written Information Security Program and policies when compared to the Safeguards Rule. Recommendation: We recommend management continue to evaluate its written information security plan and establish the required documentation in accordance with GLBA safeguard rules. Explanation of Disagreement with Audit Finding There is no disagreement with the audit finding. Action taken in response to finding: Management will evaluate its written information security plan and establish the required documentation in accordance with GLBA safeguard rules. Planned completion date for corrective action plan: March 31, 2025

JEVS HUMAN SERVICES AND AFFILIATES CORRECTIVE ACTION PLAN YEAR ENDED JUNE 30, 2024 FINDINGS – FEDERAL AWARD PROGRAM AUDITS U.S. Department of Education 2024-001 Significant Deficiency in Internal Control over Compliance Student Financial Aid Cluster: 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans Condition: Certain students’ enrollment information was not reported accurately or timely to the National Student Loan Data System (NSLDS). Recommendation: We recommend the College to review its procedures for transmitting accurate information to the NSLDS. Furthermore, we suggest that the College establish a process to enhance oversight of the submissions completed by the third-party servicer. Explanation of Disagreement with Audit Finding There is no disagreement with the audit finding. Action taken in response to finding: The College has reviewed and updated policies and procedures on reporting enrollment. A new procedure had been added to the process, requiring a designated employee to check and review on a weekly basis the Student Status Confirmation Report (SSCR) on the National Student Clearinghouse (NSC) SSCR Error Correction Platform. The designated employee will document the review and resolution of items identified on the error report. This ensures that any errors are resolved within ten days of receipt, as required by the Department of Education for all schools receiving and distributing Title IV Aid. Planned completion date for corrective action plan: December 31, 2024

Thomas College will ensure that there are dual controls relating to the programs like the Perkins Loan Program going forward to ensure that both the CFO and the Controller are able to access and make deposits. The CFO position was vacant at the time and the Controller was filling both positions, which led to the oversight. When the new CFO started, they determined that there was no lost interest due to the timing of the cash deposit and going forward they would work in collaboration to ensure this was not missed in the future.

Thomas College has refined internal reporting policies and procedures to confirm that student enrollment is reported accurately and in a timely manner. The College uses the National Student Clearinghouse as a data vendor for reporting to NSLDS. The College agrees the students were incorrectly report to NSLDS. However, the student records were regularly updated with the National Student Clearinghouse, according to policies and procedures, NSC was not then transmitting some student records to NSLDS due to a conflict in data reported by a prior instituition concerning name and mismatched SSN. The College has identified the error within the National Student Clearinghouse (NSC). The following findings and corrective actions have been adopted: 1) Additional one on one training with the NSC has been completed to better understand the cause of the finding. The error that is preventing the release of information to NSLDS has been identified and steps required to resolve the error have been communicated. This training will expand to all Thomas College employees who oversee and process enrollment reporting. 2) Thomas College is closely monitoring the processing details from each submission file sent from the college to NSC to identify students not being sent from NSC to NSLDS. Thomas College is submitting the necessary, required paperwork for verification to the NSC, as needed; to verify the student's identify and information, an example of this documentation is an ISIR recorded provided by SFS. The NSC send an automated email to enrollment reporting staff when changes are made and a follow up email requesting additional information if needed. Once resolved, student are no longer shown on the transmission rejection list and are being sent to NSLDS.

Views of Responsible Officials: The Office of the Registrar had a significant decrease in staff who were experienced in the required reporting during this period. Also, we asked Ellucian staff, who support our Power Campus Student Information System and who were responsible for setting up the report, to review the reporting process and the coding generating the report itself for accuracy. At one point, the staff assigned to us were changed by Ellucian and so the process and report review were not completed in a timely manner. All these factors contributed to delay in reporting and old information being included. With new staffing in place now and having had training from National Student Clearinghouse, as well as working with a new group of Ellucian consultants who have reviewed the process and coding for the report, we are back on track with reporting. We expect that coding changes to the report that are being completed by Ellucian consultants will remove any incorrect data.

Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend the University reevaluate its procedures and review policies surrounding reporting status changes to NSLDS to put a process in place to ensure the enrollment effective date reported to NSLDS on the campus and program level is aligning with the University. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The process Union Adventist University follows to ensure that enrollment effective dates as reported to NSLDS are submitted and coordinated through the Records Office. Records submits the list of enrollment effective dates to the National Student Clearinghouse. The Records office will be monitoring for error reports from National Student Clearinghouse that might affect the change of enrollment effective dates. The Records submits monthly reports to the National Student Clearinghouse for any changes that occur during the month. Name(s) of the contact person(s) responsible for corrective action: Tricia Harris, Director of Student Financial Services Planned completion date for corrective action plan: The goal date for this project to be completed is prior to the FY25 audit.

The Director of Students Accounts will review current processes and implement the recommendation to process refunds earlier in the 14-day window. Updated procedures will be documented, and the Student Accounts Office staff will be trained on the new procedures. Responsible Party: Steven Perrotta Vice President for Finance and Administration Phone: (603) 897-8501 Anticipated Completion Date: December 31, 2024

Contact Person Responsible: Kelli Engelhardt – Lead Mackenzie Stick - Support Corrective Actions Planned: 1. Enhanced Monitoring of Subsidized Loan Eligibility o Accelerated Nursing Students’ loan eligibility will be closely monitored, particularly during the first two semesters, to identify and prevent over-awards. o Financial Aid staff will utilize Jenzabar Student Information System reporting tools to track Subsidized Loan usage and eligibility. o Anticipated Completion Date: Ongoing; Semester-based Review, effective Spring 2025 2. Preventive Measures for Timing Issues o Financial Aid staff will actively monitor updates to ISIR records and NSLDS reporting to mitigate timing-related errors. o Steps will be taken to identify students at risk for loan overpayment earlier in the process. o Anticipated Completion Date: February 1, 2025, and then ongoing with emphasis on the first two weeks of every semester. Commitment to Compliance: The University will leverage all available tools to prevent timing-related errors and ensure accurate Subsidized Loan awarding in future years.

Contact Person(s) Responsible: Kelli Engelhardt – Lead Mackenzie Stick - Support Corrective Actions Planned: 1. Evaluate Opportunity for Staffing Enhancements o A working group will be assembled to evaluate the feasibility of adding additional staff to the Financial Aid Department to ensure proper segregation of duties and adherence to federal guidelines. o If additional staffing is not possible due to budget constraints, existing resources within the University will be explored to meet compliance goals. o Anticipated Completion Date: March 30th, 2025 2. Implementation of Internal Control Procedures o Eligibility Determinations: Manual and automated eligibility processes will be reviewed by designated staff and supervised by the Vice President for Enrollment Management on a semester basis to ensure compliance. o Return of Funds Calculations: Dual-review processes for return of funds calculations will be implemented each semester to mitigate errors. o Anticipated Completion Date: February 28, 2025 3. Training and Documentation o Annual training will continue for the Financial Aid team to ensure compliance with the Federal Student Aid Handbook. o Comprehensive documentation and supervisory review checklists will be developed to maintain transparency. o Anticipated Completion Date: Ongoing; Annual Review in July 2025 Commitment to Compliance: The University is committed to rectifying this finding and will ensure future compliance with federal regulations.

Federal Awards Findings And Recommendations 2024-001 Special Tests and Provisions - Enrollment Reporting View of Responsible Officials and Corrective Action Plan The Financial Aid and Admissions and Records departments in collaboration with the district, contracted with an outside consultant to help identify why the enrollment reporting process was not accurately reporting students' enrollment levels. It was identified that a system setting was not set to capture chnage sof enrollment levels within the specific terms. Based on the consultant recommendation, the district agreed to update system settings to accurately report student enrollment level changes throughout the term. These adjustments to the system settings will allow for the accurate and timely reporting of information to the National Student Loan Database System (NSLDS). This ongoing change to system settings is in place beginning with the Fall 2024 term. Additionally, the district has implemented internal controls to include: Developed additional training and Information Technology support structures to maintain data integrity associated with the National Student Clearinghouse (NSC) data submission, Developed pre data submission audit report to check for accuracy prior to the upload of required data to the NSC, and Created an internal work group consisting of financial aid and admissions and records professionals to review information associated with NSC reports prior to the scheduled submission of requested information. Implementation Date September 2024