Corrective Action Plans

Condition: On the March 31, 2023 Project and Expenditure report the Town reported $625,231 of obligations for items that did not meet the definition of an obligation. Corrective Action Planned: Correct in next open reporting period Anticipated Completion Date: March 31, 2024 Contact: April Steward, Town Administrator

Condition: The Town has not documented in writing its policies regarding federal awards. Corrective Action Planned: A financial policy for managing receipt of federal awards is in the process of being created by the Financial Policies Committee Anticipated Completion Date: December 31, 2024 Contact: April Steward, Town Administrator

FINDING 2023-001 Finding Subject: Research and Development Cluster – Subrecipient Monitoring Summary of Finding: Audit Finding 2023-001 states that Indiana State University did not have an effective internal control system in place in order to ensure that subrecipient Federal Audit Clearinghouse reports are reviewed in a timely manner for the Research & Development Cluster. Contact Person Responsible for Corrective Action: Hope Waldbieser, Executive Director of Finance Contact Phone Number and Email Address: 812-237-3524 - hope.waldbieser@indstate.edu Views of Responsible Officials: We concur with the finding that Indiana State University should have completed the Federal Audit Clearinghouse review in a more timely manner. Indiana State University conducted the required review, but it was completed later than allowed by the excerpt of 2 CFR 200.521(d) below. 2 CFR 200.521(d) states in part: “The federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. . . . “ Indiana State University did have other aspects of subrecipient monitoring in place related to the review of financial and programmatic reports for the subrecipients. Explanation and Reasons for Disagreement: Description of Corrective Action Plan: Effective January 2024, Indiana State University will update its Subrecipient Monitoring procedures in the following ways to ensure the Federal Audit Clearinghouse is reviewed in a timely manner and that appropriate documentation is maintained. 1. Subrecipient Federal Audit Clearinghouse reviews for prior fiscal year audits will be completed quarterly (July, October, January & April) during each fiscal year. The final Subrecipient Federal Audit Clearinghouse review for prior fiscal year audits will be completed in July after all current fiscal year payments have been made. 2. In order to ensure there is a segregation of duties the Office of Contracts & Grants Director will provide the Executive Director of Finance a report of the completed review each quarter including INDIANA STATE BOARD OF ACCOUNTS 20 the final review in July for their review and approval. The Executive Director of Finance will confirm the following: a. There is adequate documentation to support each quarterly review. b. Any deficiencies pertaining to the subrecipients Federal Audit Clearinghouse findings related to an award from Indiana State University are addressed in a timely manner. 3. Any identified issues during these reviews will be appropriately addressed by management as required by 2 CFR 200.332 and 2 CFR 200.521(d). Anticipated Completion Date: Indiana State University will ensure that the revised timeline for these procedures is in place during January 2024.

Finding Number: 2023-007 Condition: The Seminary did not identify or provide the appropriate notification to a student that was not meeting the Seminary's policy on satisfactory academic progress (SAP). Planned Corrective Action: Satisfactory academic progress is now being monitored more carefully. The Satisfactory academic progress report is run out of the student financial aid system. The internally generated report is reviewed by the Registrar and Financial Aid Director to confirm that student satisfactory academic progress statuses are correct. Once the appropriate status is confirmed, the Financial Aid Director will document students who are not in compliance with the institution’s policy and provide notifications to each student through email. The emails are recorded in the students' Jenzabar financial aid account. Contact person responsible for corrective action: Ashley Schreiner, Director of Financial Aid Anticipated Completion Date: 06/01/2024

Corrective Action Plan To: Federal Awarding Agency: U.S Department of Education; Passed-Through Commonwealth of Massachusetts, Department of Elementary and Secondary Education From: Heidi M. Paluk – Executive Director Date: 10.25.2023 Subject: Annual Performance Report Issue to be corrected: The Organization must follow the standards set out in the OMB 2 CFR section 200.239. The Organization must submit an annual performance report (OMB. No. 1810-0749) for the Elementary and Secondary School Emergency Relief (ESSER) funding with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory/reservations. The expenditures disclosed on the report must match the expenditures stated in the Schedule of Expenditures of Federal Awards (SEFA). The total ESSER expenditures reported within the annual performance report did not agree back to the ESSER expenditures recorded on the SEFA for the year ended June 30, 2022, by approximately $435,000. Action to be taken: Management plans to follow its internal controls as intended to ensure the annual performance reports agrees back to the SEFA for applicable reporting periods. Management has notified its reporting contact of the error and inquired regarding amending the annual performance report. The annual performance report is not able to be amended at this time, however, management has a plan to correct this report once the reporting amendments area allowed. Signature___________________________________ Heidi M. Paluk 508-854-8400 ext. 3656

The City agrees with the finding. The City's Grant Administrator will provide training to each City department which currently oversees subrecipients, ensuring that all department staff understand general and ARPA-specific subrecipient requirements. Additionally, the Grant Administrator will review City departments' subrecipient management checklists to ensure all required documentation is obtained from subrecipients and reviewed as required. This will be complete by June 30, 2024.

The City agrees with the finding. The Treasury Portal automatically fills in the amounts for revenue loss for 2022 with amounts reported in 2020. The Treasury portal has many flaws that would cause errors in reporting. In addition, the portal has changed every quarter, which makes it challenging to report accurately. The City will implement controls to ensure that a second review is completed prior to certification of the report. Additionally, the Grant Administrator will work with department staff responsible for reporting and ensure that each report's supporting documentation is complete and ties to underlying subrecipient reports, the general ledger and grantor reports. All supporting documentation, along with a copy of the submitted report, will be stored in a central location to ensure that they are available for subsequent reviews and audits. This will be completed by June 30, 2024.

SUBRECIPIENT MONITORING School Building Authority (SBA) Assistance Listing Number 97.036, COVID-19 97.036 The SBA will ensure and review audits of all subrecipients yearly effective February 2024. The SBA will implement policies and procedures to monitor all subrecipients to ensure compliance with federal requirements. This will include, but is not limited to, performing a yearly risk assessment as required by 2 CFR 200.303. This assessment will take into consideration results from the yearly audit of each subrecipient as well as other criteria listed in 2CFR 200.303 paragraphs (b), (d) & (e).

INTERNAL CONTROLS OVER TRANSPARENCY ACT REPORTING Division of Emergency Management (DEM) Assistance Listing Number 97.036, COVID-19 97.036 To correct the finding, DEM met with federal partners in February 2023 to ensure understanding of what was to be reported, and ensured all staff managing grants with reportable awards knew the requirements. In March 2023, DEM implemented an internal control review between the Program Manager and the Section Chief for FFATA reporting. To ensure this finding is resolved, DEM will continue to utilize the internal control review that has been put in place.

SPECIAL TESTS AND PROVISIONS – ADP RISK ANALYSIS & SYSTEM SECURITY REVIEW Department of Health and Human Resources (DHHR) Assistance Listing Number 93.775, 93.777, COVID-19 93.777, 93.778, ARRA 93.778 The Condition section within prior year finding 2022-037 recognized that the DHHR has policies and procedures in place for performing periodic risk assessments and security reviews over the Recipient Automated Payment and Information Data System (RAPIDS), which is an internal system; however, the Condition section also proclaimed that the DHHR does not have policies and procedures to perform periodic risk assessments and security reviews over the Medicaid Management Information System (MMIS). The first sentence of the corrective action plan for prior year finding 2022-037 indicates that the MMIS is designed, developed, implemented, and operated by an external service organization. Within the last two paragraphs of the corrective action plan for prior year finding 2022-037, the DHHR opined that it was in compliance with 45 CFR 95.621 since it receives the SOC 1 Type 2 report from the MMIS service organization and since the report documents that the service organization establishes and maintains a program for conducting periodic risk analyses to ensure appropriate, cost effective safeguards are incorporated into new and existing systems or whenever significant system changes occur, as required per 45 CFR 95.621. However, the DHHR also recognized the underlying concern expressed within the finding, in that the DHHR does not include the SOC 1 Type 2 report as part of its own policies and procedures for ADP security over the MMIS. To enhance its controls, the DHHR Bureau for Medical Services (BMS) was going to develop a policy and procedures to document MMIS compliance with 45 CFR 95.621. The procedures were to include but not be limited to a requirement to review and approve the SOC 1 Type 2 report from the MMIS service organization and document the review and approval process (e.g., for such matters as the service organization’s assertions, descriptions of its systems and controls, control objectives, and related controls, and the service auditor’s description of tests of controls and results). Although the DHHR BMS has not developed a comprehensive policy or any written procedures to date, they have developed a form to document internal review of the SOC 1 Type 2 report for such matters as the control environment, systems development and maintenance, logical security, physical access, computer operations, and input controls. The BMS has also discussed this issue with an independent consulting firm that is under contract with the BMS for Medicaid expertise and performs existing services related to information technology and security; modernization and planning for the overall Medicaid Enterprise Systems (MES); organization development, including alignment strategies; project management; and data architecture and governance, which includes managing the availability, usability, integrity, and security of data with comprehensive standards and policies. The BMS and its independent consulting firm will work together to develop a statement of work for an independent review of the existing control environment, if deemed necessary, and any additional services that might need performed in order to ensure the DHHR maintains full compliance with 45 CFR 95.621 and can document compliance for future HHS reviewers, independent auditors, or other authorized officials.

SPECIAL TESTS AND PROVISIONS – FRAUD DETECTION AND REPAYMENT West Virginia Department of Health and Human Resources (DHHR) Assistance Listing Number 93.575, 93.596, COVID-19 93.575 Per 45 CFR 98.68(b)(2), there is no requirement for lead agencies to recoup Child Care and Development Fund overpayments, except in instances of fraud as defined by the lead agency. Within the State of West Virginia, the lead agency is the DHHR. As indicated in Section 8.1.6 of the CCDF [State] Plan for West Virginia for Federal fiscal years 2022-2024, the DHHR Office of Inspector General (OIG) is responsible for pursuing fraud and overpayments. As indicated in Section 1.1.2 of the CCDF [State] Plan, the Division of Early Care and Education within the DHHR Bureau for Family Assistance (BFA) administers the CCDF program. Accordingly, the OIG and BFA strive to work as a unified team within the DHHR and State as a whole to identify and prevent fraud or intentional program violations; to identify and recover misspent funds as a result of fraud; and to otherwise fight fraud and ensure program integrity. As the lead agency, and as necessary to ensure program integrity, the DHHR has policies and procedures in place to define fraud and to identify and recover payments resulting from fraud, as the auditors indicated within the condition and recommendation sections of this finding and to track referrals and determinations from beginning to end (i.e., beginning in the year of identification and continuing through resolution or the establishment and enforcement of repayment agreements). The policies and procedures are specifically referenced in Chapter 8 of the BFA’s “Child Care Subsidy Policy and Procedures Manual.” Chapter 8 of the manual is titled, “Improper Payments: Prevention, Identification, Measurement and Recoupment.” Improper Payments Per Chapter 8 of the manual, an improper payment occurs when the funds go to the wrong recipient, the recipient receives the incorrect amount of funds, or the recipient obtains or uses the funds in an improper manner. Improper payments include 1) worker error in determining eligibility, authorizing care, or paying for care; 2) misrepresentation on the part of the parent or provider; and 3) programmatic infractions by parents or providers. 1. Worker Error – Improper payments due to worker error are defined as payments that should not have been made or that were made in an incorrect amount due to an error in determining and verifying eligibility, calculating the benefit, or entering the data into the eligibility system. Repayment of an improper payment due to worker error is not mandatory regardless of the amount. 2. Misrepresentation – Misrepresentation (i.e., fraud) occurs when a specific section of the child care policy is violated as a result of the information not having been reported by the client or provider or reported falsely. Improper payments made as a result of mis-interpretation must be referred to the OIG when the amount exceeds $1,000.00. If the amount does not exceed $1,000.00, the BFA must initiate repayment procedures. A willfully false statement is one that is deliberately given, with the intent that it be accepted as true, with the knowledge that it is false. It is an essential element in a misrepresentation charge that the client or provider knew the statement was false. 3. Programmatic Infraction – There are times when it is difficult to discern whether an improper payment occurred due to willful misrepresentation or is simply the result of a client or provider’s genuine confusion over subsidy program rules and responsibilities. When the case manager believes that improper payments were the result of the client or provider’s failure to understand, it is considered to be a programmatic infraction; it is the BFA’s responsibility to collect the improper payment in this instance, regardless of the amount. If the case manager is in doubt as to whether an improper payment is a programmatic infraction or is the result of misrepresentation by the client or provider, and the improper payment is less than $1,000.00, the case manager discusses the case with the supervisor and the supervisor subsequently consults with the program director; together, they make the decision whether to pursue repayment. Referrals from the Bureau for Family Assistance to the Office of Inspector General If the overpayment is $1,000.00 or greater and is due to misrepresentation by the client or provider, the case manager prepares a memo explaining the circumstances, the time period, and an estimate of the amount involved; indicates the person(s) who can verify the information within the memo; attaches a copy of all applicable documentation including, but not limited to, the payment form and attendance sheets that help support the complaint; states what corrective actions the case manager has taken on the case; and sends a copy of the memo and supporting documents to the Office of Inspector General, Division of Investigations and Fraud Management. Recovery of Improper Payments Resulting from Misrepresentation (i.e., Fraud) The supervisors within the BFA are responsible for negotiating repayment schedules with providers and clients and completing a Child Care Benefit Repayment Agreement to include the amount to be recovered, the period of recovery, the monthly recovery amount, and the procedure for repayment. If the provider or client is active, the case manager attempts to collect the payment in full; if this is not feasible, the case manager requests that the client or provider be asked to repay the amount in monthly installment payments of approximately 10% of the amount due. If a payment is more than 45 days late (15 days past the due date), the entire unpaid balance becomes due and must be paid in full. Failure to repay the requested amount results in case closure for clients or denial of participation in the certificate system for child care providers. Client services will not be reinstated until full payment is received. There are no policies or procedures to pursue repayments or collection beyond that point. There is no method to recoup overpayments from ongoing benefits, and the CCDF is not subject to the Treasury Offset Program, as other Federal programs are. Corrective Action Plan As previously stated, the OIG and BFA strive to work as a unified team within the DHHR to identify and prevent fraud or intentional program violations; to identify and recover misspent funds as a result of fraud; and to otherwise fight fraud and ensure program integrity. In response to the auditor’s recommendation for this finding, the OIG and BFA will revisit existing policies and procedures over fraud detection and repayment and will attempt to enhance the controls related thereto, particularly in relation to ensuring that all efforts concerning fraud detection and repayment are sufficiently documented, thus demonstrating full compliance with 45 CFR 98.60. Maintaining documentation of the decision-making process, the activities performed, and the results of those activities is of paramount importance in achieving that objective. A high level of documentation is necessary to support that the DHHR has policies and procedures in place and is following those policies and procedures. Maintaining adequate records and other documentary evidence will resolve this audit finding, prevent the occurrence of future audit findings, and provide a means to corroborate statements and assurances provided to regulatory agencies and other authorized individuals with regards to the DHHR’s overall compliance with 45 CFR 98.60. It is not enough to perform the activities; there must be an adequate audit trail to show the “who, what, when, where, and how” of the activities performed. As such, the OIG and BFA will also develop and maintain an appropriate system for categorizing their files and organizing their records, reports, and documents in a systematic and orderly manner to ensure, among other purposes, that they can substantiate their efforts when audited, reviewed, or evaluated by internal staff or authorized external organizations.

ALLOWABILITY AND ELIGIBILITY Department of Health and Human Resources (DHHR) Assistance Listing Number 93.658 As indicated in the Condition section of the finding, although the documentation related to safety considerations at child care institutions was not initially maintained in the official licensing files for 10 of the 40 cases tested for eligibility, the documentation was eventually provided to the auditors for eight of those 10 cases. For one of the remaining two cases, the child care institution is an out-of-state institution that is no longer in business. For the other case, the child care institution provided documentation, but the documentation did not include the dates of the institution’s safety checks. In an effort to enhance internal controls over the safety considerations at child care institutions, the West Virginia Department of Health and Human Resources, Bureau for Social Services (BSS), is continuing to analyze the condition that led to this finding and is considering a number of steps, including but not limited to the following as an immediate plan of action: • Transmit a copy of 2 CFR 1356.30(f) to all licensing personnel, supervisors, and other applicable staff within the BSS and oblige them to acknowledge that they have read and understand the requirements referenced therein. • Implement a formalized policy and develop written procedures for ensuring the licensing files for child care institutions contain documentation which verifies that safety considerations with respect to the staff of the institutions have been addressed. • Develop overall standards for the maintenance of documentation within licensing files (e.g., a consistent naming convention for the documents, which would improve internal tracking and ensure that requests from independent auditors are addressed efficiently and fully; personnel who have read-only access to documents versus those who can add, replace, and delete documents; record retention requirements; etc.). • Establish a formalized process for monitoring. Such a process would include a strategy for conducting internal reviews of all licensing files on a recurring basis, reporting the results of those reviews to appropriate officials internal and external to the DHHR, following up with those officials as may be necessary, and documenting the overall results accordingly. For example, if the results of a monitoring review indicated noncompliance [or potential noncompliance] on the part of a child care institution, the BSS would inform the institution, request a copy of the institution’s written policies and procedures regarding safety considerations, discuss it with the institution, and provide technical assistance to the maximum extent practicable. Once the BSS drafts the aforementioned policies and procedures and related monitoring process, or otherwise enhances their internal controls over the safety considerations at child care institutions, the BSS will discuss the matter with their regular programmatic contacts at the U.S. Department of Health and Human Services, Administration for Children and Families, and will ask the ACF if the BSS’s planned controls are aligned with the ACF’s universal expectations surrounding 2 CFR 1356.30(f).

SUBRECIPIENT MONITORING West Virginia Community Advancement and Development (WV CAD) Assistance Listing Number 93.568, COVID-19 93.568 Between the years 2022 and 2023, the Weatherization Assistance Program (WAP) experienced a significant turnover in its staff. As a result of this turnover, the proper adherence to the requirement of 2 CFR 200.332(f) for verifying subrecipients was not followed during the auditing process. To ensure that this requirement is met in the future, WV CAD has taken measures to document the policies and procedures related to the financial audit requirements of 2 CFR 200.332(f) in the current WAP State Plan. A designated team member has been assigned the responsibility of maintaining a comprehensive tracking list, which includes the due dates of audits, their review dates, any necessary subrecipient corrective action plans, the dates of letter correspondence, and the uploading of all relevant documents into the divisions Shared Drive. Additionally, this team member is also responsible for downloading the audits from the Federal Audit Clearinghouse and submitting the information to the Fiscal Monitor for a thorough accounting review. These measures aim to ensure proper compliance and accountability within the Weatherization Assistance Program. This action will be implemented in February 2024.

TRANSPARENCY ACT REPORTING Department of Health and Human Resources (DHHR) Assistance Listing Number 93.558, COVID-19 93.558, 93.568, COVID-19 93.568 The DHHR enhanced its controls over Transparency Act reporting for LIHEAP during State Fiscal Year 2023 and met with various staff members internal and external to the DHHR (e.g., at other State agencies) to ensure everyone was aware and understood their roles in ensuring compliance on behalf of the State. Although those controls are in full effect for fiscal year 2024, the DHHR will revisit and enhance the controls to the maximum extent possible. Furthermore, the DHHR will reopen its previous submissions to the FSRS and revise the data elements to those assigned by the other State agency to their subrecipients; considering the need to consult with the DHHR spending unit and the other State agency, the anticipated date for completion is April 1, 2024.

SUBRECIPIENT MONITORING Department of Education (DOE) Assistance Listing Number 93.558, COVID-19 93.558 Program management will implement policies and procedures to ensure that the subrecipient monitoring is updated to “ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the passthrough entity must provide the best information available to describe the federal award and subaward.” The timeline for the development and initiation of the process is tentatively set for February 1, 2024.

INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING Department of Health and Human Resources (DHHR) Assistance Listing Number 93.788, 93.323, COVID-19 93.323, 93.575, 93.596, COVID-19 93.575, 93.558, COVID-19 93.558 This finding is a repeat of prior year finding 2022-041. As related to the first paragraph of the corrective action plan for 2022-041, the new risk assessment form and related processes are still under review within the DHHR. Regarding the second paragraph of that corrective action plan, the DHHR developed a series of certifications that will replace the mandatory monitoring checklist currently in use within the DHHR. The certifications will be part of the workflow within the DHHR's subrecipient Grants Management Solution system (CRM). One of the certifications will be based on the requirements for pass-through entities within the Code of Federal Regulations at 2 CFR 200.332(b) and will require DHHR spending units to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate level of monitoring to apply to the award. The level of monitoring applied to a particular subrecipient for an individual grant award will depend on multiple factors, such as the subrecipient's prior experience with the same or similar grant awards or programs; the subrecipient's prior experience with any type of grant award or program; the results of previous external audits or internal reviews, including whether or not the subrecipient receives a Single Audit in accordance with 2 CFR 200 Subpart F ("Audit Requirements"); and whether the subrecipient has new personnel or new or substantially changed systems. When a DHHR spending unit considers these [and other] factors prior to awarding a grant, they are in essence evaluating the subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the grant award. If an evaluation of such factors proves that the subrecipient's risk of noncompliance is high, the award will still be made to address a programmatic need, and special conditions that correspond to the degree of risk may be applied to the award. In other words, the DHHR spending unit may adjust or impose specific and additional award conditions upon a subrecipient if the evaluation proves that such additional conditions are appropriate. Special conditions would include but not be limited to requiring payments as reimbursements rather than advance payments; withholding authority to process to the next phase until receipt of evidence of acceptable performance within a given performance period; requiring additional, more detailed financial reports; requiring additional project monitoring; requiring the subrecipient to obtain technical or management assistance; and establishing additional prior approvals. Although none of these requirements are new within the DHHR, adding a certification directly within the CRM workflow to address such matters will provide the DHHR with an ability to embed various controls directly within the system, provide a higher level of assurance over the risk assessment and monitoring process, increase accountability on the part of the spending units, and provide a more effective audit trail. Given these expanded goals and the need to work with a contractor on adding these additional controls within the CRM system, the DHHR plans to implement the controls via a manual process first, with a desired date for completion of May 31, 2024.

ALLOWABILITY Department of Education (DOE) Assistance Listing Number COVID-19 84.425D, 84.425U The DOE plans to strengthen its internal controls by putting in place a review of procurement procedures prior to the Local Educational Agency (LEA) finalizing a purchase. This control will entail DOE working with LEAs to monitor their internal control procedures for procurement and testing these procedures randomly throughout the year. The questioned costs were first identified as stringing in the FY21 monitoring. Subsequently, there was a repeat finding with the same vendor in FY22 which raised additional questions. The LEA was required to do an additional training put on by the DOE to improve knowledge/procedures of WV Policy 8200. The DOE plans to address these issues by working with the LEA to move the expenses off federal monies. Along with working with the LEA, the DOE is working with the FBI, West Virginia State Police, and the Office of the Inspector General to investigate the spending and the vendor themselves.

REPORTING Department of Education (DOE) Assistance Listing Number COVID-19 84.425D, 84.425R 84.425U, 84.425V Effective February 2024, the DOE plans to continue to enforce the existing policies and procedures in place along with ensuring all required documentation is retained for review. The DOE plans to review the ESSER Reporting Workbook by testing several indicator values i.e. expenditure amounts, demographic data, etc. There will be an approval process put in place once the Local Education Agency (LEA) submits the reports to the state. This approval process will include reviewing the edit checks with the LEA prior to final certification of data. Certification data will include an email from the LEA approving the final copy of the ESSER Reporting Workbook.

TRANSPARENCY ACT REPORTING Department of Education (DOE) Assistance Listing Number COVID-19 84.425C, COVID-19 84.425D The West Virginia Department of Education, Office of Internal Operations have established internal controls and procedures over the FFATA reporting and were set in place as of July 1, 2023. These procedures involve a second reviewer of the monthly FFATA reports and a signature of approval prior to reporting each month.

SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY Blue Ridge Community and Technical College, Bluefield State University, Concord University, Fairmont State University, Marshall University, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia State University, and West Virginia University at Parkersburg Assistance Listing Number 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.264, 93.342, 93.364 Blue Ridge Community and Technical College (BRCTC) response Management acknowledges that BRCTC did not retain documentation for the review of the written information security policy during the audit year in question. Effective January 2024, documentation will be kept for the annual review of the written information security policy. Bluefield State University (BSU) response BSU will implement policies and procedures by May 2024 to ensure policies and procedures are in place to address the 7 elements and 8 safeguards that are in the Information Security Program. Concord University (CU) response A Complete Risk Assessment was conducted and completed in May 2023 using the ITIL standards. CU also completed the annual GLBA Risk Assessment using the WolfPac software from Wolf and Company in June 2023. This assessment is done in conjunction with Information Technology, Financial Aid, and the Business Office to evaluate the Controls established by NIST 800-171. In addition, CU uses the KnowBe4 product to do simulated phishing campaigns to test the effectiveness of the CyberSecurity Training. CU and every individual are assigned a Risk Score that can be compared to scores for the industry. Anyone that falls for a simulated phishing email is automatically enrolled in additional training. CU has also added the phish reporting function to email clients so everyone can easily report suspected phishing emails for analysis by IT. The GLBA Risk Assessment addresses the following: Employee training and management: All employees are required to complete two trainings each year. One on privacy focused on FERPA and the other on cybersecurity. Current training is being provided using the KnowBe4 software product. CU has reviewed the access to all college resources, especially Banner over the past few months, and made necessary changes to each employee’s access as needed. This review was completed by the Banner data custodians and supervisors. This allows us to ensure alignment of user privileges and job responsibilities. Access to all Banner data was approved by the appropriate data custodian. This is documented and archived in an IT account. All users are required to enter a unique username and password to gain access and are required to meet Microsoft’s password complexity standards. Another important safeguard is physical security. All tele-communication closets are secured by locks and only IT staff has access via a master key or badge. This also is true of the Data Center which houses our on-campus servers. Access to all of our campus services are secured by VPN tunnels. Trendmicro is used to protect client PCs. CU also uses bitlocker on mobile equipment used by employees to encrypt the data. Data that may be stored on mobile devices are required to be encrypted. CU is currently creating a data retention policy for the retention and disposal of data. This policy will meet the state and federal requirements for data retention. Information Systems, including network and software design, as well as, information processing, storage, transmission, disposal, and a complete risk assessment was conducted and completed in May 2023 using the ITIL standards. CU completed a risk assessment using the WolfPac software from Wolf and Company in June 2023. In addition, CU uses the KnowBe4 product to do simulated phishing campaigns to test the effectiveness of the cybersecurity training. The institution and every individual are assigned a risk score that can be compared to scores for the industry. Anyone that falls for a simulated phishing email is automatically enrolled in additional training. CU has also added the phish reporting function to email clients so everyone can easily report suspected phishing emails for analysis by IT. Detecting, preventing, and responding to attacks, intrusions, or other system failures. CU uses a Fortinet Fortigate Appliance to provide Intrusion Prevention System (IPS) Firewall, and Virtual Private Network (VPN) connections to campus. Regular software maintenance and patch management of network equipment is performed. Network patches are deployed in a test bed as they are released. If no issues are found, they are deployed to production network equipment. Systems are monitored weekly and required patches are first cleared with Enterprise Systems to ensure compatibility with Student Information System before production implementation. CU created the incident response plan and disaster recovery plan in 2022. CU partnered with CISA of Homeland Security to conduct weekly vulnerability scans using their Cyber Hygiene Services in 2022. CU also uses Nessus to do internal vulnerability scans on a monthly basis. CU is using these reports to make needed changes to network and server infrastructure to stay as protected as possible from threats. CU implemented multifactor factor authentication for all employees in 2022. Backups of student information system are facilitated by Oracle in our Oracle cloud environment using the Oracle database backup cloud service. Production backups are configured to retain 45 days of changes. CU conducts redundant nightly backups that will be stored on-campus for 365 day coverage and retention. CU also implemented immutable backups through ORACLE during 2023. Safeguards for each risk were identified. Safeguard for each risk were discussed and are shown in the Risk Assessment. CU identified two areas for improvement. Implementing data loss prevention in TrendMicro Apex 1 and blocking traffic from unfriendly nations. Implement and periodically review access controls. Access to Banner is reviewed annually by the data stewards and any unnecessary employee access is removed. Additionally, access is removed when employees leave the institution. CU conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. This is done as part of the GLBA risk assessment using WolfPac. CU encrypts customer information on the institution’s system and when it’s in transit. Bitlocker is used on university equipment to encrypt the entire computer hard drive. Security channels are used to transfer data when needed. A vpn tunnel and web access firewalls are used to access the Banner data in the Oracle Cloud Infrastructure (OCI). The databases are encrypted at rest and in-transit. Assess apps are developed by CU and internal and external vulnerability scans are conducted. CU also reviews system logs and uses well supported development frameworks and tools. CU implemented multi-factor authentication for anyone accessing customer information on the institution’s system. Multi-factor authentication is required of all employees before they can access CU resources off-site. The employee network is segmented on its own virtual local area network. CU disposes of customer information securely and purged online forms that are no longer needed, especially those that contain PII. Financial Aid recently destroyed old documents using an onsite shredding service after scanning the documents that needed to be retained. For equipment, CU removes hard drives before the equipment is recycled and destroys the drives. CU anticipates and evaluates changes to the information system or network. CU plans for changes to information systems and the network and incorporate appropriate measures to ensure both physical and data security. Banner upgrades and changes are tested by the Banner users group before they are placed into production. A log is maintained of authorized users’ activity and keep an eye out for unauthorized access. Banner currently provides this functionality on a limited basis with a full logging system to be delivered during the current year by Ellucian. Risk assessments of all NIST 800-171 controls are conducted annually using WolfPac. CU uses a continuous improvement model. This year, CU identified improvements we could make in data loss prevention. CU already uses Microsoft’s data loss prevention features, but determined CU could also use Trendmicro’s DLP feature to further lessen the likelihood that emails or files containing PII will be shared. The other improvement CU made was by blocking network traffic from designated countries outside the US. CU can’t block all countries besides the US because the needs of our international students must be met. Vulnerability scans are conducted externally by CISA of Homeland Security weekly and internal vulnerability scans are conducted monthly using NESSUS. Simulated phishing campaigns are run continuously throughout the year through the KnowBe4 software which provides an institution risk score along with the industry average for phish-prone comparison. Risk scores are also assigned to each employee. CU’s average phish-prone percentage is 4.9 compared to the industry 5.5%. The phish prone percentage for the last campaign is 3%. CU has the following policies and procedures which are reviewed by the IT Council and IT Security Council: • Acceptable Use of Information Technology Policy • Disaster Recovery • Incident Response • Information Security Policy • Wireless Network policy Third parties are required to sign a document as part of the contract signifying security compliance. Additionally, all third-party software is included in the vulnerability scans. Changes are determined and implemented based on the risk assessments and regular review of security information from external and internal sources by the IT Security Council. CU has a written Incident Response Procedure which became effective on March 8, 2022. The Chief Information Officer reports at least annually on the institution’s information security program. After reviewing the security plan in February in the Security Council Meeting, CU determined that adding a section on multifactor authentication was overlooked. CU does require and enforce MFA on all employees, but it is not documented in the plan. This will be added to the plan and approved at the next meeting. Fairmont State University (FSU) response A written program was developed in May 2023, management has reviewed and signed the documentation for the written information security program. The written program is effective January 2024. Marshall University (MU) response A regular review of each policy is being implemented per recommendations by our cybersecurity advisor in the 2023 GLBA Assessment Report. Information Technology (IT) policies and administrative procedures are being updated by the Marshall University IT Council (ITC). Once updated, they will be scheduled for an annual policy review as part of the IT activity wheel as a corrective action for this finding. In late June 2023, a GLBA Risk Assessment was conducted by an external cyber security advisor. Remediation of findings from this risk assessment is currently underway by a cross-functional team lead by IT. Priority is being placed on addressing updates to 14 CFR 314.4 which took effect in early June 2023. As a corrective action for this finding, the CISO revise the written information security program to reflect the latest updates to 14 CFR 314.4 New River Community and Technical College (NRCTC) response NRCTC’s Data Stewards will be reviewing and approving this information each spring and then sharing that approval with the President’s Cabinet so that it appears in the minutes as evidence for the next audit. NRCTC also developed GLBA Compliance Procedures which were implemented in January 2024. Pierpont Community and Technical College (PCTC) response PCTC’s Information Security Program is overseen and administered by the CIO of the Institution. The CIO will use all information that can be gathered to help protect the Institution. PCTC uses multiple vendors to help identify and mitigate internal and external risks. A third-party vendor is used to perform a yearly security audit. A weekly cyber hygiene assessment is provided to the Institution by CISA. A third-party vendor is used to patch and maintain all on-prem networking equipment to the latest patch levels where needed including firewalls and internal equipment. The following safeguards are used: a. Physical access to all sensitive information technology (IT) areas is locked down via either key or keycard access and follow the access to security controlled spaces policy. PCTC adheres to a least privileged access model for sensitive data. b. Random periodic checks are done on data inventory throughout the year. c. The system that houses all student systems and employee information is hosted on web-based systems and the connections are encrypted and secure. Email to outside parties that contain sensitive information is encrypted. The data security policy will be followed. d. PCTC does not use any in-house developed applications. e. Multi-factor authentication (MFA) will be turned on for email and all other SSO applications in the first quarter of 2024 for all internal employees. f. Any data stored electronically on physical media is disposed of using a third-party vendor that provides the Institution with a certificate of destruction and follows the Computer Disposal Policy. g. All PCTC systems and networks are periodically reviewed for changes. Any changes outside of a standard change (i.e. Windows updates), will be logged in the change control document. h. System logs and privileged access groups (i.e. domain admins, etc.) are routinely reviewed for inappropriate changes. PCTC uses the information from the yearly audit in conjunction with the weekly cyber hygiene report to test and monitor any remediations that have been deployed. PCTC is currently working on a formal policy committee approval process that will be implemented withing the first quarter of 2024. At this time, all IT policies will be formally accepted and followed. PCTC will have a service contract and/or business agreement in place with all outside vendors that will outline the terms and scope between the two entities. All information that is discovered from all audits, testing, scans, or other tools that the IT department deems necessary, will be used to remediate and/or help make changes to existing polices to help protect PCTC and all user’s data. Shepherd University (SU) response Joseph Dagg serves as the CIO/CISO, Director of IT Services and serves as the point of contact for all things data security related, including GLBA as the Privacy Officer. Effective February 2024, activities performed as normal operations include access controls being reviewed at minimum once per year internally. Additionally, access/purge processes are executed on a rolling basis for students per year. Inventory of data occurs at minimum once per year internally. Protocols adhere to internal processes approving access via Banner custodian group. All data is encrypted at all stages, including transit. No apps are developed by SU. MFA is active. Customer information is retained/disposed according to internal guidelines within IT Services of data. Changes are anticipated and regularly reviewed internally and externally with the aid of IT consultants and vendors to ensure our security posture. User logs are reviewed at a minimum of once per year internally. Internally, IT management meets every month to discuss security and additional processes that need accounted for in addition to monthly stand-up meetings to account for immediate agile changes. Internally, executive governance meetings occur at minimum annually to review existing policies and address security issues to forecast change. Internally, SU will be working with IT consultants and external vendors to participate in table top security exercises to test/validate internal procedures. Monthly and quarterly, Nessus scans are performed to assess risks and mitigation needs within network, adhering to the CISA and NIST protocols for data security. Executive governance staff, internal IT management, IT consultant and vendors work cohesively together to provide a pathway to improve our security posture. Effective immediately, IT Services will review all affiliated policies, procedures, and activities related to GLBA compliance on a quarterly basis. Results of these reviews and/or any corrective actions identified will be documented and retained through the IT ticketing system for future reference. West Liberty University (WLU) response WLU is active in evaluating the need and designing a procedure to ensure documentation relating to evidence of management reviews of user access to the WLU production network and our Banner financial system. The procedure will be complete by February 2024 and implemented immediately thereafter. It will include a minimum of two reviews per fiscal cycle. West Virginia Northern Community College (WVNCC) response The WVNCC IT Policies has been updated as of February 2024 to include the previous missing items of 1) designate the Director of IT to oversee and implement security programs and 2) periodic review schedule of access controls. West Virginia State University (WVSU) response WVSU concurs with the finding and has developed a plan of action to include the following: 1. Review and Identify Gaps: - Conduct a thorough review of the current Information Security Program (ISP) against the requirements outlined in 16 CFR 314.4 and identify specific elements that are missing or inadequately addressed in the existing ISP. 2. Develop a Remediation Plan: Based on the identified gaps and insights through discussions with management and experts, create a detailed remediation plan and clearly outline the steps required to address each missing element in the ISP, including timelines, responsibilities, and resources needed. 3. Update Information Security Program: Implement the remediation plan by updating the Information Security Program to incorporate all the required elements specified in 16 CFR 314.4 and ensure that the revised ISP reflects best practices and industry standards for information security. 4. Training and Awareness Programs: Conduct training sessions and awareness programs for WVSU faculty and staff involved in the management and implementation of the Information Security Program and emphasize the importance of compliance with regulatory standards and educate staff on their roles and responsibilities in maintaining information security. 5. Periodic Reviews and Audits: Establish a system for periodic internal reviews of the Information Security Program to ensure ongoing compliance and implement a feedback loop that allows for continuous improvement and adjustments to the ISP based on changing regulatory requirements and emerging threats. 6. Documentation and Reporting: Maintain comprehensive documentation of the updated Information Security Program, including the rationale for each inclusion and the corresponding actions taken. 7. Continuous Monitoring: Implement a continuous monitoring process to track the effectiveness of the updated ISP in real-time and utilize automated tools and regular risk assessments to identify and address any new vulnerabilities or compliance gaps promptly. 8. Communication and Transparency: Communicate the changes made to the Information Security Program transparently to all relevant stakeholders and foster a culture of openness and encourage reporting of any potential security issues or concerns. By following this plan of action, WVSU can implement the updated Information Security Program, and demonstrate a commitment to maintaining a robust and compliant information security posture by August 2024. West Virginia University at Parkersburg (WVU-P) response By March 29, 2024, WVU-P will implement a formal tracking program that will adequately document the review process of its Information Security Program. Review will occur the month of March for all sections of the Security Program by the designated responsible party and will repeat annually. Each section will be listed in a spreadsheet, shared with the appropriate responsible parties, along with the following details: section name, responsible party, last update date, last updated by, last review date, last reviewed by, and additional notes. All reviews will be tracked using this spreadsheet. Additionally, by March, 29, 2024, WVU-P will implement and enforce the following password settings for Banner accounts: ● Minimum password length of <x> ● Password complexity requirements (Upper, lowercase, numbers, and symbols required) ● History (last three passwords will be checked) ● Account lockout: 3 attempts, 30 minute lock out ● WVU-P currently utilizes unique accounts for privileged access and will continue to prohibit the sharing of default privileged accounts. By March 29, 2024, WVU-P will add internally developed applications to the annual formal review process. Application reviews will use the same process as Access Control and Information Security Policy reviews. Applications will be reviewed to identify which specific data sources are used, how they are used, and the potential impact of unauthorized access. Additionally, applications will be reviewed to ensure that industry standard security best practices are followed.

INTERNAL CONTROLS OVER INFORMATION TECHNOLOGY Workforce West Virginia (WWV) Assistance Listing Number 17.225 WWV will create policies and procedures to be effective March 2024 which documents the process for periodic review of administrative access and user access for the ABPS and UI Tax systems. Appropriate staff will be trained once the policies and procedures are implemented. The wvOASIS SOC audit report for 2023 was completed in September 2023 and WVV is in the process of reviewing the report at this time. Disaster Recovery testing was conducted with WV Office of Technology and the mainframe vendor Ensono October 16-19, 2023.

SUBRECIPIENT MONITORING Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective April 2024, DEP will prepare and implement a written risk assessment policy containing monitoring and compliance review standards. DEP will also prepare and implement written standard operating procedures to assist in measuring subrecipient risk.

TRANSPARENCY ACT REPORTING Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective February 2024, DEP will implement the following steps to correct the finding: 1. Review 2 CFR 200.303 and the Federal Funding Accountability and Transparency Act (2 CFR 170) to determine the requirements and proper procedures in submitting FFATA reports in FSRS. 2. Evaluate the agency’s current standard operating procedure for submitting FFATA reports and identify deficiencies that address accuracy, accountability, and segregation of duties in approving and submitting reports. 3. Update the agency’s current standard operating procedures to better meet the requirements 2 CFR 200.303 and the Federal Funding Accountability and Transparency Act (2 CFR 170) and addresses proper segregation of duties in reviewing, approving, and submitting FFATA reports.

TRANSPARENCY ACT REPORTING West Virginia Community Development Block Grant Program (CDBG) Assistance Listing Number 14.228 The CDBG program has experienced turnover in staff during the last year. While CDBG knows the FFATA report was submitted, a physical copy of this report could not be provided, and it cannot be verified if it was submitted on time. In the FSRS system, only the person who creates the original report can view, edit, and pull the actual report, and since the employee who was responsible for submitting this report is no longer with the agency, it cannot be determined when it was originally submitted. CAD staff have since recreated the report in the FSRS system so there is a copy of the report. To ensure this doesn't happen in the future, CAD staff has completed FFATA training for the personnel involved in the reporting process. CAD staff is creating a calendar with due dates for the programs reporting requirements to ensure the dates are not missed. Once the report is submitted in the FSRS system, staff is required to save a copy of the report in shared files. CAD is also looking to implement a system where a centralized person is responsible for submitting the FSRS reports to ensure all processes are completed and documents saved correctly.

TRANSPARENCY ACT REPORTING Department of Education (DOE) Assistance Listing Number 10.553, 10.555, 10.556, 10.559, 10.582 Setting up a process to comply with the FFATA reporting requires retrieving information from multiple systems. In addition, child nutrition reimbursements are more complex than grants that have a known subrecipient amount. Due to the complexity, DOE is relying on guidance from the USDA to complete reporting procedures. DOE is currently waiting to get answers to several questions that are preventing full development of a process. USDA is also working to help DOE find another state agency that can help with unanswered questions. A FFATA reporting process is anticipated to be in place by July 1, 2024.