Corrective Action Plans

Condition: We noted during testing that the City did not maintain sufficient documentation to ensure that subrecipients and contractors were not suspended, debarred, or otherwise excluded pursuant to 2 CFR Section 180.300 prior to entering into a contract or agreement with the third party. Planned Corrective Action: The City of Port Huron will implement a new process for approval of all invoices related to ARPA grant expenses. This includes a check for suspension and debarment prior to any invoices approval and appropriate documentation. Contact person responsible for corrective action: Lee Ward, Director of Finance. Anticipated Completion Date: December 31, 2024.

Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Mount Mercy University’s information technology department has implemented an annual process to review access controls and ensure access is only provided to authorized individuals. Authorized users will only have access to sensitive information which is required to perform their roles and responsibilities. Name(s) of the contact person(s) responsible for corrective action: Curtis Sanders Planned completion date for corrective action plan: 06/30/2025

Recommendation We recommend updating internal policy over subrecipient monitoring and recommend implementation of effective internal controls and procedures over subrecipient monitoring and tracking that allow for compliance with all applicable federal laws, regulations, and compliance requirements of various federal grants. It seems likely that additional monitoring activities are being performed that are not currently being documented in a central location and, therefore we also recommend standardizing the documentation of monitoring activities, using monitoring logs, monitoring checklists, and audit test sheets, etc. If the Department is experiencing periods where understaffing or staffing turnover is an issue causing risk of noncompliance, we recommend that the Department properly address those risks and consider contracting out certain monitoring controls to a third-party professional service firm. Management Response Corrective Action: Serve New Mexico acknowledges the lack of sufficient documentation for annual site visits and that fiscal monitoring activities for the 2023-2024 program year were not sufficient. To address this, we are revising our policies and procedures to comply with 2 CFR 200.303 (Internal Controls) and 2 CFR 200.332 (Requirements for Pass-Through Entities). Key actions we are implementing include: 1. Site Visits Documentation: We will conduct regular site visits as a component of our monitoring activities for 2024-2025 program year with clear, consistent and documented objectives for each visit and proper documentation of monitoring activities conducted during each visit. 2. Expansion of Fiscal Monitoring: Review of cost documentation will be expanded to include all subgrantees, regardless of risk, and for subrecipients subject to heightened fiscal monitoring, review of more than one month of documentation will be conducted. 3. Centralized Documentation: All supporting documentation will be scanned and stored in a centralized shared folder. This will ensure clarity and accessibility of records, particularly in the event of staff turnover. 4. Collaboration with a Consultant: Our Fiscal and Compliance Officer is working closely with a consultant to streamline fiscal policies and procedures in line with 2 CFR 200—Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. 5. Uniform Audit Test Sheet: We will develop a standardized audit test sheet to ensure that all programmatic and fiscal monitoring activities are consistently documented across all programs. These steps are designed to ensure compliance and enhance the effectiveness of our monitoring processes, addressing the findings of the audit comprehensively Due Date of Completion: June 30, 2025 Responsible Party(ies): Serve New Mexico Director

Recommendation We recommend updating internal policy over subrecipient monitoring and recommend implementation of effective internal controls and procedures over subrecipient monitoring and tracking that allows for compliance with all applicable federal laws, regulations, and compliance requirements of various federal grants. We also recommend standardizing the documentation of monitoring activities, using monitoring logs, monitoring checklists, and audit test sheets, etc. If the Department is experiencing periods where understaffing or staffing turnover is an issue causing risk of noncompliance, we recommend that the Department properly address those risks and consider contracting out certain monitoring controls to a third-party professional service firm. Management Response Corrective Action: The Department acknowledges that we had not completed the required monitoring for Program Years 2022 and 2023. The Department has contracted with a third-party monitor to complete the Program Years 2022 and 2023 monitoring. Program Year 2024 monitoring is on track to be completed by June 30, 2025. The Department has created a corrective action plan to bring the WIOA monitoring into compliance. The Department has completed a risk assessment for Program Year 2024 which is now attached to the grant agreements. The WIOA Monitoring Unit will use the Department’s Grant Risk Assessment tool for future grant agreements. The WIOA Monitoring Unit is in the process of drafting a policy for subrecipient monitoring. This policy will establish monitoring standards for subrecipients and pass-through entities of WIOA Title I-B and related discretionary awards. The policy will include: Frequency of Monitoring Reviews Scope of Monitoring Reviews Monitoring Letters and Reports Due Date of Completion: June 30, 2025 Responsible Party(ies): Administrative Services Division Director

The Attendance and Records Center (ARC) team has put in place a process to check students with any cohort removal codes on a weekly basis, and ensure any required backup documentation is scanned into Aeries. Additionally, all staff received training on the Status Change form and the cohort exit codes that require backup documentation. The ACCESS Administrative Guidelines and Procedures Manual was also shared with staff, including section 3.9 addressing, "Documentation and Evidence Required in Order to Remove a Student from the High School Graduation Rate Cohort." All new staff will receive a copy of the manual. In response to the 2023-2024 audit additional measures have been taken in perpetuity: a) Every four weeks a sql query is run to find all cohort removal exit codes. Each one is confirmed or changed according to the documentation provided. b) Each year we re-train the enrollment staff to follow procedures in alignment with the state requirements. The meeting for this year was held on May 22, 2024 and it will be reviewed again in the Spring. c) Internal Policy and Procedure reflects not only the importance of proper documentation but provides details about what the documentation should be. These monitoring steps will ensure that this will not be a finding in the following year.

Condition: Total federal expenditures for the year ended June 30, 2024 amounted to $1,095,663. Prior to the performance of financial statement audit procedures, the Organization had determined that federal expenditures during the year ended June 30, 2024 did not exceed the threshold of $750,000. Recommendation: We recommend that all funding contracts are carefully reviewed to determine whether the amounts awarded represent federal funding and whether they should be classified as contractor payments or as subrecipient payments. If there is any uncertainty, we recommend that the Organization contact the funding source for clarification. We recommend that a schedule of expenditures of federal awards is prepared on an annual basis to determine if total expenditures exceed the threshold which would require a Single Audit. Name of Contact Person: Kristen Genovese, CEO Phone Number: 602-652-0163 Anticipated Completion Date: June 30, 2025 Views of Responsible Officials and Corrective Actions: notMYkid, Inc. will establish procedures to review all contracts and, if necessary, to communicate with funding sources to ensure that receipts of federal funding are properly classified as subrecipient versus contractor arrangements to ensure completeness of the Schedule of Expenditures of Federal Awards. notMYkid, Inc. will also prepare the Schedule of Expenditures of Federal Awards on an annual basis to determine whether the threshold for a Single Audit is exceeded.

Due to staff turnover and key vacant positions, we were unable to locate some supporting documentation. However, procedures have been developed and implemented to ensure all reports and supporting documentation will be kept on file for a minimum of three years in a location accessible by all employees.

Views of Responsible Officials and Planned Corrective Actions: Staffing turnover limited ability for portfolio property managers to effectively manage tenant files at each building location. Historically, the management and auditing of tenant files was entirely under the process flows for property management team. The Inglis Compliance department is now sampling and reviewing tenant files to assure tenant files are accurate and audit ready at any given time. The tenant files for all entities will be current by December 2024. Inglis Housing Corporation hired new a new property management Executive Director in August 2024. Under her leadership the team has made extensive progress updating and bringing all PRACs, tenant recertifications, and tenant files into compliance. There has been in depth training for the property management team on the usage of a newly implemented property management system. All staff have or will attend external training classes for tax credit and HUD property management functions. The property management team is working on reviewing and updating all tenant files with a goal of being in compliance for the June 30, 2025 audit. Extensive process has been made as of October 2024. All of the HUD entities managed by the property management team are current through June 2024.

Views of Responsible Officials and Planned Corrective Actions: Staffing turnover limited ability for portfolio property managers to effectively manage tenant files at each building location. Historically, the management and auditing of tenant files was entirely under the process flows for property management team. The Inglis Compliance department is now sampling and reviewing tenant files to assure tenant files are accurate and audit ready at any given time. The tenant files for all entities will be current by December 2024. Inglis Housing Corporation hired new a new property management Executive Director in August 2024. Under her leadership the team has made extensive progress updating and bringing all PRACs, tenant recertifications, and tenant files into compliance. There has been in depth training for the property management team on the usage of a newly implemented property management system. All staff have or will attend external training classes for tax credit and HUD property management functions. The property management team is working on reviewing and updating all tenant files with a goal of being in compliance for the June 30, 2025 audit. Extensive process has been made as of October 2024. All of the HUD entities managed by the property management team are current through June 2024.

Views of Responsible Officials and Planned Corrective Actions: The deposits will be made as cash flows permits. The collection of tenant receivables and subsidy payments will improve as new property management team stabilizes operations by reducing turnover and increasing use of new property management system once fully implemented.

Views of Responsible Officials and Planned Corrective Actions: Staffing turnover limited ability for portfolio property managers to effectively manage tenant files at each building location. Historically, the management and auditing of tenant files was entirely under the process flows for property management team. The Inglis Compliance department is now sampling and reviewing tenant files to assure tenant files are accurate and audit ready at any given time. The tenant files for all entities will be current by December 2024. Inglis Housing Corporation hired new a new property management Executive Director in August 2024. Under her leadership the team has made extensive progress updating and bringing all PRACs, tenant recertifications, and tenant files into compliance. There has been in depth training for the property management team on the usage of a newly implemented property management system. All staff have or will attend external training classes for tax credit and HUD property management functions. The property management team is working on reviewing and updating all tenant files with a goal of being in compliance for the June 30, 2025 audit. Extensive process has been made as of October 2024. All of the HUD entities managed by the property management team are current through June 2024.

Views of Responsible Officials and Planned Corrective Actions: Staffing turnover limited ability for portfolio property managers to effectively manage tenant files at each building location. Historically, the management and auditing of tenant files was entirely under the process flows for property management team. The Inglis Compliance department is now sampling and reviewing tenant files to assure tenant files are accurate and audit ready at any given time. The tenant files for all entities will be current by December 2024. Inglis Housing Corporation hired new a new property management Executive Director in August 2024. Under her leadership the team has made extensive progress updating and bringing all PRACs, tenant recertifications, and tenant files into compliance. There has been in depth training for the property management team on the usage of a newly implemented property management system. All staff have or will attend external training classes for tax credit and HUD property management functions. The property management team is working on reviewing and updating all tenant files with a goal of being in compliance for the June 30, 2025 audit. Extensive process has been made as of October 2024. All of the HUD entities managed by the property management team are current through June 2024.

Views of Responsible Officials and Planned Corrective Actions: The planned corrective action did not take place as cash flow issues persist. The deposits will be made as cash flows permits. Inglis is in process of billing prior year amounts that are now in compliance and current year amounts.

Views of Responsible Officials and Planned Corrective Actions: Staffing turnover limited ability for portfolio property managers to effectively manage tenant files at each building location. Historically, the management and auditing of tenant files was entirely under the process flows for property management team. The Inglis Compliance department is now sampling and reviewing tenant files to assure tenant files are accurate and audit ready at any given time. The tenant files for all entities will be current by December 2024. Inglis Housing Corporation hired new a new property management Executive Director in August 2024. Under her leadership the team has made extensive progress updating and bringing all PRACs, tenant recertifications, and tenant files into compliance. There has been in depth training for the property management team on the usage of a newly implemented property management system. All staff have or will attend external training classes for tax credit and HUD property management functions. The property management team is working on reviewing and updating all tenant files with a goal of being in compliance for the June 30, 2025 audit. Extensive process has been made as of October 2024. All of the HUD entities managed by the property management team are current through June 2024.

Finding Reference Number: 2024-001 Initial Fiscal Year: 2023 Summary of Finding: Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-001) In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4 During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. An updated policy was put into place in July 2024, which addressed several of the deficiencies noted in the existing policy, but not all. The University should continue to update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively and timely. Entity’s Corrective Action Plan: The Johnson University IT Department has consistently worked to improve compliance with GLBA regulations since July 2023. The leadership of Johnson University has taken a proactive and measured approach to GLBA compliance that ensures a balance between reaching compliance quickly and reaching compliance with long-term strategic planning. This has led to a GLBA implementation that will take 2 or more years but will set up the university for long-term excellence in compliance and security. The University understands the importance of GLBA requirements and is committed to ensuring student data is protected from all foreseeable threats. It will continue to iterate on its GLBA corrective action plan to ensure proper compliance for long-term security. The Johnson University IT Department has developed a plan to address deficiencies in GLBA compliance in each of the following areas: Requirement 1 - Qualified Individual: 16 CFR 314.4(a) Johnson University has designated Tim Fisher as our Qualified Individual. Tim Fisher is an employee of Johnson University, serving in the IT Systems Analyst role, and will work alongside Johnson University’s IT Director to oversee the information security program and its implementation. While Tim has over 15 years of on-the-job cybersecurity experience, additional training resources have already been provided to Tim Fisher to pursue the CompTIA Security+ certification. Tim Fisher expects to complete the training and gain the certification by the end of 2025. This was deemed sufficient for GLBA compliance in the audit report provided by Blackburn, Childers & Steagall, PLC dated November 6, 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 2 - Risk Assessment: 16 CFR 314.4(b) Johnson University partnered with HORNE, a cybersecurity company, to conduct a risk assessment in November 2023. The assessment covered several topics and recorded inherent risk levels, existing mitigating controls, and the residual risk levels of each topic covered. Residual risk levels, the level of risk existing despite the existing controls, were found to be considered high in termination procedures and review of security logs. GLBA policy development and implementation decisions were based heavily on this initial risk assessment. A more comprehensive cybersecurity company with experience serving customers in Higher Education, DeapSeas, has been selected for ongoing cybersecurity assistance and will be conducting future risk assessments. Additional risk assessments are planned to be performed every 2 years to reexamine reasonably foreseeable risks and to account for changes in cybersecurity controls. The next risk assessment shall be completed by the end of 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 3.1 - Access Controls: 16 CFR 314.4(c)(1) Johnson University policy ensures that employee supervisors dictate appropriate access for each employee to the IT Department when they are hired or change positions. Supervisors are responsible for ensuring employees have appropriate access to locations where sensitive information is stored, such as file servers and Jenzabar (Student Information System) software access. The IT Department processes permission changes and does not provide permissions without explicit request from the employee supervisor. Auditing existing permissions is a weak spot that has, in the past, taken hours of manual work. We have purchased software, AD Manager, to assist with access reviews. We expect this software to be ready to audit necessary permission groups by the end of 2024. This should significantly reduce the time it takes to audit permissions through additional reporting and easy remediation features. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, instituting a continuous monitoring process undertaken at periodic intervals. The University has contracted with a new software to assist with this, which is expected to be live by December 31, 2024. Note from JU IT: Requirement 3.1, access control reviews, is complicated as each department supervisor is responsible for setting access permissions. The IT Department will need to engage department supervisors for review and approval. Due to the transition in the I.T. Director position, the expectation to be live should be adjusted to March 31, 2025. Requirement 3.2 – Data Identification: 16 CFR 314.4(c)(2) Informal identification has been completed by the IT Department through generalized asset inventory procedures. DeapSeas, our selected cybersecurity vendor, has been contracted to conduct a more formal data identification procedure in early 2025. This will identify critical items and analyze risks and responsibilities associated with each party. This procedure will take place through scanning the corporate network and interviewing departments on their data storage procedures. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Resolution to this matter is expected to be addressed and incorporated into the policy by December 31, 2024.” Note from JU IT: For requirement 3.2, data inventory, we’re already under contract with DeapSeas to do this. It will be completed by March 31, 2025. Requirement 3.3 – Encryption: 16 CFR 314.4(c)(3) Johnson University has had encryption in transit for several years but has not had encryption at rest. Johnson University purchased licenses to enable encryption at rest in October 2023 and finished a project to encrypt most virtual machines containing sensitive data using AES-256 and XTS-AES-256 encryption on April 29, 2024. The remaining virtual machines are planned to be encrypted before the end of 2024. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement.” Requirement 3.4 – Secure Development: 16 CFR 314.4(c)(4) Johnson University does not develop in-house applications for transmitting, accessing, or storing customer information. A combination of the risk assessment, vendor analysis, and penetration testing will assess the security of externally developed applications. The risk assessment has already been completed, but further vendor analysis and penetration testing are planned to be completed by the end of June 2025. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University does not develop in-house applications for transmitting, accessing, or storing customer information.” Requirement 3.5 – Multi-factor Authentication: 16 CFR 314.4(c)(5) Johnson University has enabled multi-factor authentication on all connections to the server where our student information system (Jenzabar One) is accessed. Multi-factor authentication is also enabled for all logins to Office 365 and integrated applications, such as Zoom videoconferencing, our student/employee portal, Jenzabar Financial Aid (financial aid management system), and Jenzabar Recruitment (admissions software). Multi-factor authentication is also enabled on connections to our administrative systems, such as our network firewall, hypervisor, door access control, and security camera management systems. With multi-factor authentication requirements for all these systems, we believe that multi-factor authentication is enabled on all critical systems to protect student information. Evaluation of low-risk systems, such as our classroom audiovisual systems, for feasibility of multi-factor authentication are ongoing and expect to be completed by the end of 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University utilizes multi-factor authentication on all connections to the server where student information system is accessed, as well as administrative and financial applications.” Requirement 3.6 – Data Retention: 16 CFR 314.4(c)(6) Organizational data retention policies, developed by the Finance Department, are currently in effect. These policies were originally written for other means but have some overlap with GLBA regulations. Evaluation of these policies for effectiveness is ongoing and expected to be completed by the end of 2024. Future evaluations for the effectiveness of data retention policies will take place every other year in a joint venture with the Finance and IT Departments. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Evaluation of organizational data retention policies for effectiveness is ongoing and expected to be completed by December 31, 2024. Note from JU IT: Requirement 3.6, data retention policies, will require collaboration between Finance and IT. Finance’s existing policies on data retention need to be enhanced. This just takes time and decisions from the CFO (how long to retain and when to delete – IT will be enforcing the policy technically). Evaluation will be completed by June 30, 2025. Requirement 3.7 – Change Management: 16 CFR 314.4(c)(7) Change management procedures have been discussed and official policies are being developed. Evaluation of security risk and risk of downtime or other degradation of service are being considered in change management procedures. Official policies should be in place in 2025. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. Official policies should be in place by December 31, 2024. Note from JU IT: A change management plan will be completed by March 31, 2025. Requirement 3.8 – User Logging: 16 CFR 314.4(c)(8) User logging is in place for all log-ins to Office 365 log-ins to its services and integrated applications. Microsoft Entra sign-in risk and user-risk policies are in place to enforce stronger security measures during sign-in, force password resets, or deny sign-ins altogether based on risk analysis. Sign-ins to on-premises resources are logged through new software, Log360, implemented in March 2024. Log360 analyses log-ins and sends notifications to IT Department technicians via email for suspicious activity. IT will then process these reports to take appropriate action to resolve the threat unless there is sufficient evidence of a false positive. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Office 365 user logging has been in place; sign-ins to on-premises resources was implemented in March 2024. IT has processes in place for addressing suspicious activity.” Requirement 4 – Security Assessment: 16 CFR 314.4(d)(1) DeapSeas, a cybersecurity vendor, has been chosen to conduct security assessments. A security assessment is planned for early 2025. Ongoing, internal security assessments are planned on an annual basis to be conducted by the IT Department. These assessments will assist in evaluating the effectiveness of existing controls and the ongoing development of the security program. Software has also been purchased and implemented for continuous monitoring of vulnerabilities within organizational software. The software, Vulnerability Manager, provides notice of known vulnerabilities and available patches for software installed on devices within our organization. These notifications are distributed through the software and through email. Automated and semi-automated patches are available through the software to be deployed to organizational devices over the internet. Patching known vulnerabilities within our software portfolio is a priority for us. This system should reduce overall risk and patch effectiveness will be verified with penetration testing. Our first annual penetration test is planned for early 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 5 – Security Training: 16 CFR 314.4(e) Security training has been made mandatory for all employees beginning in Fall 2024. Security training is done through our online video training platform, KnowBe4. This system allows for video, quizzes, and other learning material to be presented to the employees. KnowBe4 develops this content and ensures accuracy and appropriateness. Johnson University IT Department selects available materials and assigns them to employees. Security training was last updated after the initial risk assessment and will be reviewed every 6 months. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 6 – Service Providers: 16 CFR 314.4(f) Collection of SOC2 security reports from vendors that have access to systems with student information is in progress. The collection and analysis of these reports is expected to be completed by the end of 2024. Review of these reports is planned to be conducted annually, with requests for updated security reports every 3 years. \ Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 7 – Security Control Monitoring: 16 CFR 314.4(g) Security controls are being monitored using Log360 wherever possible. Continuous evaluation of these controls is underway and adjustments will be made to security controls as needed. New change management policies and penetration testing will influence the way we evaluate these controls and will likely include changes to monitoring systems and evaluation methods. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Anticipated Completion Date: Fall 2026 Name and Title of Responsible Person: Luke Edwards, Director of IT.

The District agrees and intends to continue supervision and monitoring of accounting information and operations, including obtaining explanations for variances from unexpected results. The Superintendent will continue to sign off on all payroll check registers and journal entries.

Recommendation: We recommend the Council updates in payment process to ensure that all providers are paid timely after receipt of grant funds. Action Taken: We have established a streamlined process to ensure timely disbursement of funds to providers upon receiving grant funds. Additionally, we have implemented a monitoring system to track payment timeliness and promptly address any delays. Responsible Party: Jeremy Ashbaugh, Director of Finance. Anticipated Completion Date: The issue has been corrected.

Name of Contact Person: Melanie Imholte Finance Director mimholte@soldotna.org 907-714-1224 Finding 2024-001 Reporting – Significant Deficiency in Internal Control Over Compliance Corrective Action The City of Soldotna will revise policies and procedures to ensure review and approval of grant reports being submitted. Expected Completion Date: Fiscal Year 2025

Finding 2024-001: The resident security deposit account did not have adequate funds to cover the security deposits collected at September 30, 2024. Comments on the Finding and Each Recommendation: Management should reconcile the security deposit listing on a monthly basis and transfer funds from the operating cash account to ensure the resident security deposit account is adequately funded. Action(s) taken or planned on the finding: Agree. On October 22, 2024, management transferred $524 from the operating cash account to fully fund the security deposit account.

Finding 2024-001 Condition: Supporting documentation was missing for 6 out of 98 disbursements selected for allowable costs testing during the audit. Without itemized receipts we were unable to determine if the purchases were allowable. However, the projection of the error was less than the $25,000 reportable limit of questioned costs. Cause: The Organization’s controls did not provide for supporting documentation to be adequately retained. Recommendation: We recommend that internal control procedures on recordkeeping and filing should be clearly stated as part of the Organization policy. Management Response: We concur with the finding. Corrective Action: 1. The Finance Committee will review and update the Organization's Policy to more clearly state expectations regarding control procedures on recordkeeping and filing. 2. Administrative staffer is being hired and will be responsible for streamlining supply ordering, setting up store accounts where possible to limit the need for in-store purchases, as well as the collection and filing of receipts. 3. Staff with credit cards will be retained regarding receipt retention procedures. Name of Responsible Person: Beth VanDerbeck

2024-003 Preparation of Schedule of Expenditures of Federal Awards and State Financial Assistance; District management believes that the cost of employing internal resources to draft the Schedule of Expenditures of Federal Awards and State Financial Assistanace Statement and related notes would outweigh the benefits to be received. Furthermore, District management will continue to employ personnel who have the capability to review, approve and accept responsibility for the Schedule of Expenditures of Federal Awards and State Financial Assistance Statement.

12/16/2024 United States Department of Health and Human Services Betty Jean Kerr – People’s Health Centers respectfully submits the following corrective action plan for the year ended May 31, 2024. CohnReznick LLP 350 Church Street Hartford, CT 06103 Audit Period: May 31, 2024 The findings from the May 31, 2024 schedule of findings and questioned costs are discussed below. The findings are numbered consistently with the numbers assigned in the schedule. FEDERAL AWARDS FINDINGS AND QUESTIONED COSTS Section III‐ Federal Award Findings and Questioned Costs Community Health Centers, Affordable Care Act (ACA) Grants for New and Expanded Services Under the Health Center Program, COVID-19 Affordable Care Act (ACA) Grants for New and Expanded Services Under the Health Center Program Federal Assistance Listing Numbers: 93.224 and 93.527 Item 2024‐001 – Special Tests Recommendation The Center should establish a system of internal controls to ensure that all slide fee discounts are properly calculated based on family size and income. Repeat Finding Yes Action Taken 1. Upon notification of findings, new reporting structures and training were developed for the FOA staff. Direct governance was moved from finance to operations, and the scheduling supervisor was promoted to a newly created role entitled the Director of Patient Access. This role is directly responsible for training and the scheduling of FOA staff as well as data integrity of registration information. 2. Once developed, we provided targeted training sessions for all staff involved with the calculation of sliding fees on the policies and procedures to ensure:  The sliding fee guidelines document is known.  Understanding of the methodology for calculating fees, including how family size and income are considered.  Documentation required to support income and family size information provided by clients. This may include tax returns, pay stubs, or other relevant documents.  To use the standardized form (checklist) to ensure all necessary information is collected and verified. 3. We also have implemented a monthly audit process that randomly selects a sample of sliding fee patients. Selected patients’ files are reviewed to identify any potential discrepancies. If discrepancies are noted, prior to remediation, errors are documented so that thematic analysis can be conducted, and root causes can be identified. To ensure traction of the initiative, audit findings are presented monthly to the quality assurance and performance improvement committee. 4. We make every effort we can to effectively communicate the sliding fee scale to clients. In addition to face-to-face communication, it is presented openly in several locations throughout the agency and is also available on our website. We are aware that ensuring the continued compliance of the SFS scale determinations, as well as the financial accuracy of our books requires consistent and continuous commitment to quality and improvement. We are confident that the changes made to our internal controls will significantly strengthen our processes. We believe these measures will mitigate the risk of errors and inaccuracies in the future, providing greater assurance over the reliability of our financial reporting. If the Cognizant or Oversight Agency for Audit has questions regarding this plan, please call: Javier Vallejo, CFO at 314-482-0915. Sincerely yours, Javier Vallejo Chief Financial Officer

JEVS HUMAN SERVICES AND AFFILIATES CORRECTIVE ACTION PLAN YEAR ENDED JUNE 30, 2024 FINDINGS – FEDERAL AWARD PROGRAM AUDITS (CONTINUED) U.S. Department of Education 2024-002 Significant Deficiency in Internal Control over Compliance Student Financial Aid Cluster: 84.007 - Federal Supplemental Educational Opportunity Grants 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans Condition: During the audit, we noted JEVS Human Service has gaps within their Written Information Security Program and policies when compared to the Safeguards Rule. Recommendation: We recommend management continue to evaluate its written information security plan and establish the required documentation in accordance with GLBA safeguard rules. Explanation of Disagreement with Audit Finding There is no disagreement with the audit finding. Action taken in response to finding: Management will evaluate its written information security plan and establish the required documentation in accordance with GLBA safeguard rules. Planned completion date for corrective action plan: March 31, 2025

The District will ensure that Additional or Compensatory Special Education or Related Services (ACSERS) funds are not used to fund Substitute Services due to the teacher shortage.

Finding Number: 2024-001 Program Name/Assistance Listing Title: COVID-19 Coronavirus State and Local Fiscal Recovery Fund Assistance Listing Number: 21.027 Contact Person: Jeremy Bow, Director of Finance Anticipated Completion Date: August 12, 2024 Planned Corrective Action: In May of 2020, amid the urgent health and safety impacts of the global Covid-19 pandemic, Emerge closed its emergency shelter facility in order to transition to the use of a hotel to provide a non-congregate shelter setting for its Participants. In the urgency to make the transition and the uncertainty of the duration of stay, Emerge did not perform a SAM.gov review of the hotel for suspension or debarment, as federal funds were not anticipated to be utilized at the time. In April 2022, Emerge surpassed the $25,000 threshold for federal funds paid to this vendor during a fiscal year. Having previously been operating out of the hotel for nearly 2 years prior, the need for a SAM.gov review was overlooked at that time and was not identified on the audits for either fiscal year 2022 or 2023. When notified of the deficiency on August 12, 2024, during initial field work for the audit of fiscal year 2024, Emerge took same-day action to resolve the previous oversight. On August 12, 2024 Emerge performed the necessary check via SAM.gov and confirmed the vendor hotel was free from suspension or debarment. Concurrently, Emerge revised its Procurement Policy to specifically require compliance with Federal Acquisition Regulation Systems - 2 CFR §180.300 & §180.995. Per Emerge Procurement Policy, revised August 2024: “Any Agency procurement action which will utilize federal or sub-federal funds, in full or in part, shall be done so in compliance with Federal Acquisition Regulation Systems - 48 CFR §2 Subpart 2.1, 2 CFR §200 Subpart D, and 2 CFR §180.300 & §180.995 as required by federal regulation. Compliance with this and all other Federal guidance shall be the shared responsibility of the Chief Executive Officer, Senior Leadership, and the Director of Finance. Copies of these regulations shall be maintained by the Agency for reference.” It is Emerge’s perspective that appropriate action has been taken in order to substantially mitigate the risk of recurrence based on the revisions to its Procurement Policy and the internal reviews of both the revised policy and the audit finding with Senior Leadership.