Corrective Action Plans

SUBRECIPIENT MONITORING West Virginia Community Advancement and Development (WV CAD) Assistance Listing Number 93.568, COVID-19 93.568 Between the years 2022 and 2023, the Weatherization Assistance Program (WAP) experienced a significant turnover in its staff. As a result of this turnover, the proper adherence to the requirement of 2 CFR 200.332(f) for verifying subrecipients was not followed during the auditing process. To ensure that this requirement is met in the future, WV CAD has taken measures to document the policies and procedures related to the financial audit requirements of 2 CFR 200.332(f) in the current WAP State Plan. A designated team member has been assigned the responsibility of maintaining a comprehensive tracking list, which includes the due dates of audits, their review dates, any necessary subrecipient corrective action plans, the dates of letter correspondence, and the uploading of all relevant documents into the divisions Shared Drive. Additionally, this team member is also responsible for downloading the audits from the Federal Audit Clearinghouse and submitting the information to the Fiscal Monitor for a thorough accounting review. These measures aim to ensure proper compliance and accountability within the Weatherization Assistance Program. This action will be implemented in February 2024.

TRANSPARENCY ACT REPORTING Department of Health and Human Resources (DHHR) Assistance Listing Number 93.558, COVID-19 93.558, 93.568, COVID-19 93.568 The DHHR enhanced its controls over Transparency Act reporting for LIHEAP during State Fiscal Year 2023 and met with various staff members internal and external to the DHHR (e.g., at other State agencies) to ensure everyone was aware and understood their roles in ensuring compliance on behalf of the State. Although those controls are in full effect for fiscal year 2024, the DHHR will revisit and enhance the controls to the maximum extent possible. Furthermore, the DHHR will reopen its previous submissions to the FSRS and revise the data elements to those assigned by the other State agency to their subrecipients; considering the need to consult with the DHHR spending unit and the other State agency, the anticipated date for completion is April 1, 2024.

SUBRECIPIENT MONITORING Department of Education (DOE) Assistance Listing Number 93.558, COVID-19 93.558 Program management will implement policies and procedures to ensure that the subrecipient monitoring is updated to “ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the passthrough entity must provide the best information available to describe the federal award and subaward.” The timeline for the development and initiation of the process is tentatively set for February 1, 2024.

INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING Department of Health and Human Resources (DHHR) Assistance Listing Number 93.788, 93.323, COVID-19 93.323, 93.575, 93.596, COVID-19 93.575, 93.558, COVID-19 93.558 This finding is a repeat of prior year finding 2022-041. As related to the first paragraph of the corrective action plan for 2022-041, the new risk assessment form and related processes are still under review within the DHHR. Regarding the second paragraph of that corrective action plan, the DHHR developed a series of certifications that will replace the mandatory monitoring checklist currently in use within the DHHR. The certifications will be part of the workflow within the DHHR's subrecipient Grants Management Solution system (CRM). One of the certifications will be based on the requirements for pass-through entities within the Code of Federal Regulations at 2 CFR 200.332(b) and will require DHHR spending units to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate level of monitoring to apply to the award. The level of monitoring applied to a particular subrecipient for an individual grant award will depend on multiple factors, such as the subrecipient's prior experience with the same or similar grant awards or programs; the subrecipient's prior experience with any type of grant award or program; the results of previous external audits or internal reviews, including whether or not the subrecipient receives a Single Audit in accordance with 2 CFR 200 Subpart F ("Audit Requirements"); and whether the subrecipient has new personnel or new or substantially changed systems. When a DHHR spending unit considers these [and other] factors prior to awarding a grant, they are in essence evaluating the subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the grant award. If an evaluation of such factors proves that the subrecipient's risk of noncompliance is high, the award will still be made to address a programmatic need, and special conditions that correspond to the degree of risk may be applied to the award. In other words, the DHHR spending unit may adjust or impose specific and additional award conditions upon a subrecipient if the evaluation proves that such additional conditions are appropriate. Special conditions would include but not be limited to requiring payments as reimbursements rather than advance payments; withholding authority to process to the next phase until receipt of evidence of acceptable performance within a given performance period; requiring additional, more detailed financial reports; requiring additional project monitoring; requiring the subrecipient to obtain technical or management assistance; and establishing additional prior approvals. Although none of these requirements are new within the DHHR, adding a certification directly within the CRM workflow to address such matters will provide the DHHR with an ability to embed various controls directly within the system, provide a higher level of assurance over the risk assessment and monitoring process, increase accountability on the part of the spending units, and provide a more effective audit trail. Given these expanded goals and the need to work with a contractor on adding these additional controls within the CRM system, the DHHR plans to implement the controls via a manual process first, with a desired date for completion of May 31, 2024.

ALLOWABILITY Department of Education (DOE) Assistance Listing Number COVID-19 84.425D, 84.425U The DOE plans to strengthen its internal controls by putting in place a review of procurement procedures prior to the Local Educational Agency (LEA) finalizing a purchase. This control will entail DOE working with LEAs to monitor their internal control procedures for procurement and testing these procedures randomly throughout the year. The questioned costs were first identified as stringing in the FY21 monitoring. Subsequently, there was a repeat finding with the same vendor in FY22 which raised additional questions. The LEA was required to do an additional training put on by the DOE to improve knowledge/procedures of WV Policy 8200. The DOE plans to address these issues by working with the LEA to move the expenses off federal monies. Along with working with the LEA, the DOE is working with the FBI, West Virginia State Police, and the Office of the Inspector General to investigate the spending and the vendor themselves.

REPORTING Department of Education (DOE) Assistance Listing Number COVID-19 84.425D, 84.425R 84.425U, 84.425V Effective February 2024, the DOE plans to continue to enforce the existing policies and procedures in place along with ensuring all required documentation is retained for review. The DOE plans to review the ESSER Reporting Workbook by testing several indicator values i.e. expenditure amounts, demographic data, etc. There will be an approval process put in place once the Local Education Agency (LEA) submits the reports to the state. This approval process will include reviewing the edit checks with the LEA prior to final certification of data. Certification data will include an email from the LEA approving the final copy of the ESSER Reporting Workbook.

TRANSPARENCY ACT REPORTING Department of Education (DOE) Assistance Listing Number COVID-19 84.425C, COVID-19 84.425D The West Virginia Department of Education, Office of Internal Operations have established internal controls and procedures over the FFATA reporting and were set in place as of July 1, 2023. These procedures involve a second reviewer of the monthly FFATA reports and a signature of approval prior to reporting each month.

SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY Blue Ridge Community and Technical College, Bluefield State University, Concord University, Fairmont State University, Marshall University, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia State University, and West Virginia University at Parkersburg Assistance Listing Number 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.264, 93.342, 93.364 Blue Ridge Community and Technical College (BRCTC) response Management acknowledges that BRCTC did not retain documentation for the review of the written information security policy during the audit year in question. Effective January 2024, documentation will be kept for the annual review of the written information security policy. Bluefield State University (BSU) response BSU will implement policies and procedures by May 2024 to ensure policies and procedures are in place to address the 7 elements and 8 safeguards that are in the Information Security Program. Concord University (CU) response A Complete Risk Assessment was conducted and completed in May 2023 using the ITIL standards. CU also completed the annual GLBA Risk Assessment using the WolfPac software from Wolf and Company in June 2023. This assessment is done in conjunction with Information Technology, Financial Aid, and the Business Office to evaluate the Controls established by NIST 800-171. In addition, CU uses the KnowBe4 product to do simulated phishing campaigns to test the effectiveness of the CyberSecurity Training. CU and every individual are assigned a Risk Score that can be compared to scores for the industry. Anyone that falls for a simulated phishing email is automatically enrolled in additional training. CU has also added the phish reporting function to email clients so everyone can easily report suspected phishing emails for analysis by IT. The GLBA Risk Assessment addresses the following: Employee training and management: All employees are required to complete two trainings each year. One on privacy focused on FERPA and the other on cybersecurity. Current training is being provided using the KnowBe4 software product. CU has reviewed the access to all college resources, especially Banner over the past few months, and made necessary changes to each employee’s access as needed. This review was completed by the Banner data custodians and supervisors. This allows us to ensure alignment of user privileges and job responsibilities. Access to all Banner data was approved by the appropriate data custodian. This is documented and archived in an IT account. All users are required to enter a unique username and password to gain access and are required to meet Microsoft’s password complexity standards. Another important safeguard is physical security. All tele-communication closets are secured by locks and only IT staff has access via a master key or badge. This also is true of the Data Center which houses our on-campus servers. Access to all of our campus services are secured by VPN tunnels. Trendmicro is used to protect client PCs. CU also uses bitlocker on mobile equipment used by employees to encrypt the data. Data that may be stored on mobile devices are required to be encrypted. CU is currently creating a data retention policy for the retention and disposal of data. This policy will meet the state and federal requirements for data retention. Information Systems, including network and software design, as well as, information processing, storage, transmission, disposal, and a complete risk assessment was conducted and completed in May 2023 using the ITIL standards. CU completed a risk assessment using the WolfPac software from Wolf and Company in June 2023. In addition, CU uses the KnowBe4 product to do simulated phishing campaigns to test the effectiveness of the cybersecurity training. The institution and every individual are assigned a risk score that can be compared to scores for the industry. Anyone that falls for a simulated phishing email is automatically enrolled in additional training. CU has also added the phish reporting function to email clients so everyone can easily report suspected phishing emails for analysis by IT. Detecting, preventing, and responding to attacks, intrusions, or other system failures. CU uses a Fortinet Fortigate Appliance to provide Intrusion Prevention System (IPS) Firewall, and Virtual Private Network (VPN) connections to campus. Regular software maintenance and patch management of network equipment is performed. Network patches are deployed in a test bed as they are released. If no issues are found, they are deployed to production network equipment. Systems are monitored weekly and required patches are first cleared with Enterprise Systems to ensure compatibility with Student Information System before production implementation. CU created the incident response plan and disaster recovery plan in 2022. CU partnered with CISA of Homeland Security to conduct weekly vulnerability scans using their Cyber Hygiene Services in 2022. CU also uses Nessus to do internal vulnerability scans on a monthly basis. CU is using these reports to make needed changes to network and server infrastructure to stay as protected as possible from threats. CU implemented multifactor factor authentication for all employees in 2022. Backups of student information system are facilitated by Oracle in our Oracle cloud environment using the Oracle database backup cloud service. Production backups are configured to retain 45 days of changes. CU conducts redundant nightly backups that will be stored on-campus for 365 day coverage and retention. CU also implemented immutable backups through ORACLE during 2023. Safeguards for each risk were identified. Safeguard for each risk were discussed and are shown in the Risk Assessment. CU identified two areas for improvement. Implementing data loss prevention in TrendMicro Apex 1 and blocking traffic from unfriendly nations. Implement and periodically review access controls. Access to Banner is reviewed annually by the data stewards and any unnecessary employee access is removed. Additionally, access is removed when employees leave the institution. CU conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. This is done as part of the GLBA risk assessment using WolfPac. CU encrypts customer information on the institution’s system and when it’s in transit. Bitlocker is used on university equipment to encrypt the entire computer hard drive. Security channels are used to transfer data when needed. A vpn tunnel and web access firewalls are used to access the Banner data in the Oracle Cloud Infrastructure (OCI). The databases are encrypted at rest and in-transit. Assess apps are developed by CU and internal and external vulnerability scans are conducted. CU also reviews system logs and uses well supported development frameworks and tools. CU implemented multi-factor authentication for anyone accessing customer information on the institution’s system. Multi-factor authentication is required of all employees before they can access CU resources off-site. The employee network is segmented on its own virtual local area network. CU disposes of customer information securely and purged online forms that are no longer needed, especially those that contain PII. Financial Aid recently destroyed old documents using an onsite shredding service after scanning the documents that needed to be retained. For equipment, CU removes hard drives before the equipment is recycled and destroys the drives. CU anticipates and evaluates changes to the information system or network. CU plans for changes to information systems and the network and incorporate appropriate measures to ensure both physical and data security. Banner upgrades and changes are tested by the Banner users group before they are placed into production. A log is maintained of authorized users’ activity and keep an eye out for unauthorized access. Banner currently provides this functionality on a limited basis with a full logging system to be delivered during the current year by Ellucian. Risk assessments of all NIST 800-171 controls are conducted annually using WolfPac. CU uses a continuous improvement model. This year, CU identified improvements we could make in data loss prevention. CU already uses Microsoft’s data loss prevention features, but determined CU could also use Trendmicro’s DLP feature to further lessen the likelihood that emails or files containing PII will be shared. The other improvement CU made was by blocking network traffic from designated countries outside the US. CU can’t block all countries besides the US because the needs of our international students must be met. Vulnerability scans are conducted externally by CISA of Homeland Security weekly and internal vulnerability scans are conducted monthly using NESSUS. Simulated phishing campaigns are run continuously throughout the year through the KnowBe4 software which provides an institution risk score along with the industry average for phish-prone comparison. Risk scores are also assigned to each employee. CU’s average phish-prone percentage is 4.9 compared to the industry 5.5%. The phish prone percentage for the last campaign is 3%. CU has the following policies and procedures which are reviewed by the IT Council and IT Security Council: • Acceptable Use of Information Technology Policy • Disaster Recovery • Incident Response • Information Security Policy • Wireless Network policy Third parties are required to sign a document as part of the contract signifying security compliance. Additionally, all third-party software is included in the vulnerability scans. Changes are determined and implemented based on the risk assessments and regular review of security information from external and internal sources by the IT Security Council. CU has a written Incident Response Procedure which became effective on March 8, 2022. The Chief Information Officer reports at least annually on the institution’s information security program. After reviewing the security plan in February in the Security Council Meeting, CU determined that adding a section on multifactor authentication was overlooked. CU does require and enforce MFA on all employees, but it is not documented in the plan. This will be added to the plan and approved at the next meeting. Fairmont State University (FSU) response A written program was developed in May 2023, management has reviewed and signed the documentation for the written information security program. The written program is effective January 2024. Marshall University (MU) response A regular review of each policy is being implemented per recommendations by our cybersecurity advisor in the 2023 GLBA Assessment Report. Information Technology (IT) policies and administrative procedures are being updated by the Marshall University IT Council (ITC). Once updated, they will be scheduled for an annual policy review as part of the IT activity wheel as a corrective action for this finding. In late June 2023, a GLBA Risk Assessment was conducted by an external cyber security advisor. Remediation of findings from this risk assessment is currently underway by a cross-functional team lead by IT. Priority is being placed on addressing updates to 14 CFR 314.4 which took effect in early June 2023. As a corrective action for this finding, the CISO revise the written information security program to reflect the latest updates to 14 CFR 314.4 New River Community and Technical College (NRCTC) response NRCTC’s Data Stewards will be reviewing and approving this information each spring and then sharing that approval with the President’s Cabinet so that it appears in the minutes as evidence for the next audit. NRCTC also developed GLBA Compliance Procedures which were implemented in January 2024. Pierpont Community and Technical College (PCTC) response PCTC’s Information Security Program is overseen and administered by the CIO of the Institution. The CIO will use all information that can be gathered to help protect the Institution. PCTC uses multiple vendors to help identify and mitigate internal and external risks. A third-party vendor is used to perform a yearly security audit. A weekly cyber hygiene assessment is provided to the Institution by CISA. A third-party vendor is used to patch and maintain all on-prem networking equipment to the latest patch levels where needed including firewalls and internal equipment. The following safeguards are used: a. Physical access to all sensitive information technology (IT) areas is locked down via either key or keycard access and follow the access to security controlled spaces policy. PCTC adheres to a least privileged access model for sensitive data. b. Random periodic checks are done on data inventory throughout the year. c. The system that houses all student systems and employee information is hosted on web-based systems and the connections are encrypted and secure. Email to outside parties that contain sensitive information is encrypted. The data security policy will be followed. d. PCTC does not use any in-house developed applications. e. Multi-factor authentication (MFA) will be turned on for email and all other SSO applications in the first quarter of 2024 for all internal employees. f. Any data stored electronically on physical media is disposed of using a third-party vendor that provides the Institution with a certificate of destruction and follows the Computer Disposal Policy. g. All PCTC systems and networks are periodically reviewed for changes. Any changes outside of a standard change (i.e. Windows updates), will be logged in the change control document. h. System logs and privileged access groups (i.e. domain admins, etc.) are routinely reviewed for inappropriate changes. PCTC uses the information from the yearly audit in conjunction with the weekly cyber hygiene report to test and monitor any remediations that have been deployed. PCTC is currently working on a formal policy committee approval process that will be implemented withing the first quarter of 2024. At this time, all IT policies will be formally accepted and followed. PCTC will have a service contract and/or business agreement in place with all outside vendors that will outline the terms and scope between the two entities. All information that is discovered from all audits, testing, scans, or other tools that the IT department deems necessary, will be used to remediate and/or help make changes to existing polices to help protect PCTC and all user’s data. Shepherd University (SU) response Joseph Dagg serves as the CIO/CISO, Director of IT Services and serves as the point of contact for all things data security related, including GLBA as the Privacy Officer. Effective February 2024, activities performed as normal operations include access controls being reviewed at minimum once per year internally. Additionally, access/purge processes are executed on a rolling basis for students per year. Inventory of data occurs at minimum once per year internally. Protocols adhere to internal processes approving access via Banner custodian group. All data is encrypted at all stages, including transit. No apps are developed by SU. MFA is active. Customer information is retained/disposed according to internal guidelines within IT Services of data. Changes are anticipated and regularly reviewed internally and externally with the aid of IT consultants and vendors to ensure our security posture. User logs are reviewed at a minimum of once per year internally. Internally, IT management meets every month to discuss security and additional processes that need accounted for in addition to monthly stand-up meetings to account for immediate agile changes. Internally, executive governance meetings occur at minimum annually to review existing policies and address security issues to forecast change. Internally, SU will be working with IT consultants and external vendors to participate in table top security exercises to test/validate internal procedures. Monthly and quarterly, Nessus scans are performed to assess risks and mitigation needs within network, adhering to the CISA and NIST protocols for data security. Executive governance staff, internal IT management, IT consultant and vendors work cohesively together to provide a pathway to improve our security posture. Effective immediately, IT Services will review all affiliated policies, procedures, and activities related to GLBA compliance on a quarterly basis. Results of these reviews and/or any corrective actions identified will be documented and retained through the IT ticketing system for future reference. West Liberty University (WLU) response WLU is active in evaluating the need and designing a procedure to ensure documentation relating to evidence of management reviews of user access to the WLU production network and our Banner financial system. The procedure will be complete by February 2024 and implemented immediately thereafter. It will include a minimum of two reviews per fiscal cycle. West Virginia Northern Community College (WVNCC) response The WVNCC IT Policies has been updated as of February 2024 to include the previous missing items of 1) designate the Director of IT to oversee and implement security programs and 2) periodic review schedule of access controls. West Virginia State University (WVSU) response WVSU concurs with the finding and has developed a plan of action to include the following: 1. Review and Identify Gaps: - Conduct a thorough review of the current Information Security Program (ISP) against the requirements outlined in 16 CFR 314.4 and identify specific elements that are missing or inadequately addressed in the existing ISP. 2. Develop a Remediation Plan: Based on the identified gaps and insights through discussions with management and experts, create a detailed remediation plan and clearly outline the steps required to address each missing element in the ISP, including timelines, responsibilities, and resources needed. 3. Update Information Security Program: Implement the remediation plan by updating the Information Security Program to incorporate all the required elements specified in 16 CFR 314.4 and ensure that the revised ISP reflects best practices and industry standards for information security. 4. Training and Awareness Programs: Conduct training sessions and awareness programs for WVSU faculty and staff involved in the management and implementation of the Information Security Program and emphasize the importance of compliance with regulatory standards and educate staff on their roles and responsibilities in maintaining information security. 5. Periodic Reviews and Audits: Establish a system for periodic internal reviews of the Information Security Program to ensure ongoing compliance and implement a feedback loop that allows for continuous improvement and adjustments to the ISP based on changing regulatory requirements and emerging threats. 6. Documentation and Reporting: Maintain comprehensive documentation of the updated Information Security Program, including the rationale for each inclusion and the corresponding actions taken. 7. Continuous Monitoring: Implement a continuous monitoring process to track the effectiveness of the updated ISP in real-time and utilize automated tools and regular risk assessments to identify and address any new vulnerabilities or compliance gaps promptly. 8. Communication and Transparency: Communicate the changes made to the Information Security Program transparently to all relevant stakeholders and foster a culture of openness and encourage reporting of any potential security issues or concerns. By following this plan of action, WVSU can implement the updated Information Security Program, and demonstrate a commitment to maintaining a robust and compliant information security posture by August 2024. West Virginia University at Parkersburg (WVU-P) response By March 29, 2024, WVU-P will implement a formal tracking program that will adequately document the review process of its Information Security Program. Review will occur the month of March for all sections of the Security Program by the designated responsible party and will repeat annually. Each section will be listed in a spreadsheet, shared with the appropriate responsible parties, along with the following details: section name, responsible party, last update date, last updated by, last review date, last reviewed by, and additional notes. All reviews will be tracked using this spreadsheet. Additionally, by March, 29, 2024, WVU-P will implement and enforce the following password settings for Banner accounts: ● Minimum password length of <x> ● Password complexity requirements (Upper, lowercase, numbers, and symbols required) ● History (last three passwords will be checked) ● Account lockout: 3 attempts, 30 minute lock out ● WVU-P currently utilizes unique accounts for privileged access and will continue to prohibit the sharing of default privileged accounts. By March 29, 2024, WVU-P will add internally developed applications to the annual formal review process. Application reviews will use the same process as Access Control and Information Security Policy reviews. Applications will be reviewed to identify which specific data sources are used, how they are used, and the potential impact of unauthorized access. Additionally, applications will be reviewed to ensure that industry standard security best practices are followed.

INTERNAL CONTROLS OVER INFORMATION TECHNOLOGY Workforce West Virginia (WWV) Assistance Listing Number 17.225 WWV will create policies and procedures to be effective March 2024 which documents the process for periodic review of administrative access and user access for the ABPS and UI Tax systems. Appropriate staff will be trained once the policies and procedures are implemented. The wvOASIS SOC audit report for 2023 was completed in September 2023 and WVV is in the process of reviewing the report at this time. Disaster Recovery testing was conducted with WV Office of Technology and the mainframe vendor Ensono October 16-19, 2023.

SUBRECIPIENT MONITORING Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective April 2024, DEP will prepare and implement a written risk assessment policy containing monitoring and compliance review standards. DEP will also prepare and implement written standard operating procedures to assist in measuring subrecipient risk.

TRANSPARENCY ACT REPORTING Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective February 2024, DEP will implement the following steps to correct the finding: 1. Review 2 CFR 200.303 and the Federal Funding Accountability and Transparency Act (2 CFR 170) to determine the requirements and proper procedures in submitting FFATA reports in FSRS. 2. Evaluate the agency’s current standard operating procedure for submitting FFATA reports and identify deficiencies that address accuracy, accountability, and segregation of duties in approving and submitting reports. 3. Update the agency’s current standard operating procedures to better meet the requirements 2 CFR 200.303 and the Federal Funding Accountability and Transparency Act (2 CFR 170) and addresses proper segregation of duties in reviewing, approving, and submitting FFATA reports.

TRANSPARENCY ACT REPORTING West Virginia Community Development Block Grant Program (CDBG) Assistance Listing Number 14.228 The CDBG program has experienced turnover in staff during the last year. While CDBG knows the FFATA report was submitted, a physical copy of this report could not be provided, and it cannot be verified if it was submitted on time. In the FSRS system, only the person who creates the original report can view, edit, and pull the actual report, and since the employee who was responsible for submitting this report is no longer with the agency, it cannot be determined when it was originally submitted. CAD staff have since recreated the report in the FSRS system so there is a copy of the report. To ensure this doesn't happen in the future, CAD staff has completed FFATA training for the personnel involved in the reporting process. CAD staff is creating a calendar with due dates for the programs reporting requirements to ensure the dates are not missed. Once the report is submitted in the FSRS system, staff is required to save a copy of the report in shared files. CAD is also looking to implement a system where a centralized person is responsible for submitting the FSRS reports to ensure all processes are completed and documents saved correctly.

TRANSPARENCY ACT REPORTING Department of Education (DOE) Assistance Listing Number 10.553, 10.555, 10.556, 10.559, 10.582 Setting up a process to comply with the FFATA reporting requires retrieving information from multiple systems. In addition, child nutrition reimbursements are more complex than grants that have a known subrecipient amount. Due to the complexity, DOE is relying on guidance from the USDA to complete reporting procedures. DOE is currently waiting to get answers to several questions that are preventing full development of a process. USDA is also working to help DOE find another state agency that can help with unanswered questions. A FFATA reporting process is anticipated to be in place by July 1, 2024.

On a weekly basis, the Registrar will download the Registration Status Report from the student information system and review the report for accuracy. A copy will be provided to the Director of Financial Aid and the Accounts Receivable Coordinator to ensure all withdrawn students have been communicated in a timely fashion and all R2T4s are processed timely.

On a monthly basis, the Registrar will download the Registration Status report from the student information system and review the report for accuracy to ensure all enrollment changes are captured. Once the review is complete, the information will be uploaded to the National Student Clearinghouse.

FINDING 2023-007 Subject: COVID-19 – Education Stabilization Fund – Special Tests and Provisions – Wage Rate Requirements Summary of Finding: The School Corporation had not properly designed or implemented an effective system of internal controls to prevent, or detect and correct, noncompliance. Recommendation We recommended that management of the School Corporation design and implement a proper system of internal control, including policies and procedures that would provide segregation of duties to ensure appropriate reviews, approvals and oversight are taking place. Contact Person Responsible for Corrective Action: Casey Howard Contact Phone Number: 574-842-3364 x806 Views of the Responsible Officials: We concur with the finding. Description of Corrective Action Plan: The corporation will create and implement an effective system to prevent, or detect and correct, noncompliance. We will create an oversight or review process to obtain the required certified payrolls. Anticipated Completion Date: Completed as of January 2024

FINDING 2023-006 Subject: COVID-19 – Education Stabilization Fund – Reporting Summary of Finding: The School Corporation did not submit annual reports in a timely manner during the first year of the audit period. Reimbursement requests included invoices which had been reimbursed previously and some request did not agree with supporting documentation. Recommendation We recommended that management of the School Corporation establish a proper system of internal controls and develop policies and procedures to ensure reports are submitted timely and supporting documentation is used and retained for reimbursement requests. Contact Person Responsible for Corrective Action: Casey Howard Contact Phone Number: 574-842-3364 x806 Views of the Responsible Officials: We concur with the finding. Description of Corrective Action Plan: Reporting – The Treasurer and Deputy Treasurer will review and approve all grant reporting with Komputrol reports and grant approval. All deadlines will be submitted prior to due dates. The Superintendent, Treasurer, Deputy-Treasurer and/or Grant Writer will review all grant reimbursement requests prior to submission for accuracy. Anticipated Completion Date: Completed March 2023 – February 2024 INDIANA STATE

FINDING 2023-002 Subject: Child Nutrition Cluster – Suspension and Debarment Summary of Finding: The School Corporation did not verify vendor suspension and debarment status prior to payment. Recommendation We recommended that management of the School Corporation establish a system of internal and develop policies and procedures to ensure contractors and subrecipients, as appropriate are not suspended, debarred, or otherwise excluded prior to entering into any contracts or subawards. Contact Person Responsible for Corrective Action: Casey Howard Contact Phone Number: 574-842-3364 x806 Views of the Responsible Officials: We concur with the finding. Description of Corrective Action Plan: Food Service Director and/or Treasurer will utilize the procurement policy and will ensure all vendors paid with federal dollars have not been suspended or debarred. Anticipated Completion Date: Completed as of January 2024

FINDING 2023-002 Finding Subject: Subject: COVID-19 - Education Stabilization Fund - Reporting Summary of Finding: Reports submitted were not substantiated by the ledgers. Contact Person Responsible for Corrective Action: Kellie Romer (Corporation Treasurer/Finance Director) Contact Phone Number and Email Address: 765-653-9771 Ext. 1010, kromer@greencastle.k12.in.us Views of Responsible Officials: We concur with the finding Description of Corrective Action Plan: The school corporation will establish a proper system for internal controls and develop procedures to ensure reports are supported by the financial records. Anticipated Completion Date: Immediately 2/8/2024

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: The college will create vendor review policies, update information security policy, and implement multi-factor authentication across all systems with personal identifiable information. A written report will be provided to the board. Person Responsible for Corrective Action Plan: James Williamson, Director of Information Technology Anticipated Date of Completion: August, 2024

Corrective Action Plan For the Year Ended May 31, 2023 Finding 2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests. Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b). Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act. Effect: The Institute has no verifiable evidence of the policy and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Status: In progress, anticipated completion September 2024 Corrective Action: Management agrees with the finding. We are currently developing a comprehensive cybersecurity policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. We are now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. We have contracted with a planning team at CDW to determine best practices and perform training. We have begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board. Contact Matt Ogden Director of Technology 414.847.3223 mattogden@miad.edu Submitted Feb 23, 2024

Recommendation: The Authority should review all invoices being charges to the federal grant to ensure they are in compliance with grant agreements and to ensure the activity is being properly recorded in the general ledger. Action to be taken: The Authority concurs with the facts of this finding and will review and update standard operating procedures relating to the federal grants to avoid similar future occurrences.

Finding 2023-002 IV-D Cooperation with Child Support Name of contact person: Corrective Action: Proposed completion date: Finding 2023-003 Inaccurate Resources Entry Name of contact person: For the Year Ended June 30, 2023 Corrective Action Plan Section III - Federal Award Findings and Questioned Costs Section II - Financial Statement Findings July 1, 2023 Stephen McNally, Finance Director The Finance Department will attempt to make all necessary transfers of funds between Forfeiture accounts in the current period. However, this correction notification from US Treasury was not sent to the Finance department until after the reporting period in which the transaction took place. Kim Grissom, Family and Children's Medicaid Supervisor and Shelia Morton, Family and Children's Medicaid Supervisor Family and Children Medicaid Lead Workers and Supervisors will conduct second-party reviews on caseworkers. The supervisors will go over errors found by second parties during their team monthly meetings. The supervisors will hold individual performance meetings if cited for the same error. Lead Workers and Supervisors will conduct 100% second parties on caseworkers in their probationary period of 6 months unless extended by Supervisors due to performance and 5 applications and redeterminations on all other caseworkers per month. The supervisors will also ensure that caseworkers are up to date on changes that may come up and ensure that they give proper instruction when needed. Supervisors and/or Leadworkers will conduct monthly meetings which including mini trainings on errors found in second parties. Refresher trainings will be held quarterly for indept training regarding policy areas in which the Supervisors identify the need for. The Human Service Planner Evaluator will help track of repetitive errors and suggest trainnings needed to Supervisors to ensure that policy/procedures are being implemmented accordingly. The Supervisors will schedule and hold a meeting to inform the Program Administrator of the errors found on second-party findings and provide a copy of the individual’s performance meeting held with the worker on any repetitive errors. Supervisors and or Lead workers will send training invites to Program Administrator, Staff Development, and Human Services Planner Evaluator, for monthly and at quarterly refresher trainings. To ensure that the caseworkers do not repeat these errors, the following will happen: policy training was held on November 30, 2022, for Family and Children Medicaid section MA- 3365. Documentation Template was last updated on November 3, 2023, which includes IVReferral reminder. Family and Children meeting will be held by November 30, 2023.

Condition: The School District’s controls did not prevent or detect and correct, in a timely manner, an employee’s time being charged to the Special Education Cluster that did not have adequate documentation. Additionally, the School District’s controls did not prevent or detect and correct, in a timely manner, updates to an employee status upon termination for employees charged to the Special Education Cluster and the Education Stabilization Fund. Planned Corrective Action: The School District concurs with the audit finding. The District has worked to strengthen internal controls to eliminate errors. The District will review its internal controls and provide additional training to staff. The School District is in the process of filling a Project Manager role on the Payroll Team who will be responsible for reviewing employee terminations and identifying potential overpayments. Until the role is filled, the Senior Director of Payroll and CFO will review employee exits quarterly to identify any potential overpayments and move funds to the general fund. New procedures for employee exit were rolled out in July in an effort to improve timely exiting of employees. Contact person responsible for corrective action: Jeremy Vidito, Chief Financial Officer Anticipated Completion Date: June 30, 2024

Specific Steps to Correct: Management has already corrected how it records interest earned on CDBG cash on-hand. Management will review program income on-hand throughout the year to assess its responsibility to return funds to the line of credit. Anticipated Completion Date: Will incorporate the auditor's recommendation into year end processing for fiscal year 2024, which will occur around June 30, 2024. Name(s) and Title(s) of Responsible Person(s): James Wood, Finance Director