Corrective Action Plans

Views of Responsible Officials: The Organization will complete and implement a formal, written procurement policy.

2022 – 006 – Procurement and Suspension and Debarment Recommendation: The City of Nogales should enhance and/or modify existing controls over procurement, suspension and debarment policies and procedures to ensure adherence to all uniform grant guidance requirements. This could include implementing a more robust checklist that should be completed, signed off by management and included with each procurement which has all required items noted such as cost/price analysis and verification of suspension and debarment of vendors. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Corrective Action Plan: The City will work on creating a checklist for all directors/management to sign off on that will be included in every capital purchase that requires procurement. This will include verification of vendors. Names of contact person(s) responsible for corrective action: Mr. Roy Bermudez, City Manager Anticipated Completion Date: June 30, 2025

Provider Relief Fund/American Rescue Plan – Assistance Listing No. 93.498 Recommendation: We recommend that management implement more formal control process surrounding the use of federal awards where there is segregation between individuals identifying or proposing expenditures/uses of funds and an individual reviewing and approving that expenditure/use. We also recommend for any formal reporting required under federal awards that there be a formal review process where an individual is reviewing and approving the report who did not prepare the report. Documentation of review and approval should be retained in both cases. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action planned in response to finding: New policy and process will be implemented by new CFO to ensure approval processes and expenditures of all federal awards. Reconciliations and other required documents for use and submission of federal funds will be reviewed with CFO, Accounting Manager and CEO. New policy and process including checklist was targeted to be implemented by new CFO (February 1st, 2023), however this process change has already been completed as of October 28th, 2022. By having a formal process for federal awards will ensure approval process and expenditures of all federal awards. Reconciliations and other required documents for use and submission of federal funds. Name(s) of the contact person(s) responsible for corrective action: Shane Coughenour, CFO Planned completion date for corrective action plan: December 31, 2023

Recommendation: We recommend that the Organization should ensure that program managers compare all program reports to the reporting requirements within the grant documents to ensure all quantitative and qualitative information is appropriately included prior to submittal to the oversight Organization. Views of responsible officials: There is no disagreement with the audit finding.

FA 2023-002 Improve Controls over Procurement Compliance Requirement: Procurement and Suspension and Debarment Internal Control Impact: Material Weakness Compliance Impact: Material Noncompliance Federal Awarding Agency: U.S. Department of Education Pass-Through Entity: Georgia Department of Education Assistance Listing Number and Title: 84.027 - Special Education Grants to States COVID-19-84.027 - Special Education Grants to States 84.173 - Special Education Preschool Grants COVID-19-84.173 - Special Education Preschool Grants Federal Award Number: H027A210073 (Year: 2022), H027A220073 (Year: 2023), H027X220073 (Year: 2023), H173A210081 (Year: 2022), H173A220081 (Year: 2022), H173X220081 (Year: 2023) Questioned Costs: $88,074 Prior Year Finding: FA 2022-001 Description: A review of expenditures charged to the Special Education Cluster (Assistance Listing Numbers 84.027 and 84.173) revealed that the School District's internal control procedures were not operating appropriately to ensure that the School District's procurement procedures were followed. Corrective Action Plans: We concur with this finding and as noted it is a repeat finding from the previous year (2022). We have updated our federal purchasing policy with the following verbiage to address micro purchases. "For purchases less that $10,000, no competitive quotations will be required (micro purchase procedures). As defined by FAR 2.101, as in acquisition of supplies or services, the aggregate amount of which does not exceed the micro-purchase threshold ($10,000). For purchases between $10,000 and $250,000, price quotes from at least three qualified." Internal Controls procedures have been reviewed and will be followed to ensure that required procurement methods are being applied to each transaction and that proper documentation is maintained in the expenditure field. Transactions will be reviewed by the Program Directors to ensure that the internal control procedures are operating appropriately and in accordance with Federal Programs Uniform Guidance. Estimated Completion Date: Fiscal Year 2024 Contact Person: Trey Wood, Finance Director Telephone: 706-795-2191 ext. 1023 Email: trey.wood@madison.k12.ga.us

FA 2023-001 Improve Controls over Schoolwide Consolidation Procedures Compliance Requirement: Activities Allowed or Unallowed Allowable Costs/Cost Principle Internal Control Impact: Significant Deficiency Compliance Impact: Nonmaterial Noncompliance Federal Awarding Agency: U.S. Department of Education Pass-Through Entity: Georgia Department of Education Assistance Listing Number and Title: 84.027 - Special Education Grants to States Federal Award Number: H027A210073 (Year: 2022), H027A220073 (Year: 2023) Questioned Costs: $47,432 Description: The policies and procedures of the School District were insufficient to provide adequate internal controls over the Schoolwide Consolidation of Funds process. Corrective Action Plans: We concur with this finding. The finance department has been working closely with the Georgia Division for Special Education Services and Support to correct the error in regards to the process that the consolidated IDEA funds are accounted. On April 16, 2024, were submitted our corrective action plan to the State of Georgia updating our processes and it was approved. Noting that we had changed our consolidated funds workbook and the way expenditures are reclassed on a monthly basis to correct funds. Since the approval of the corrective action plan, these funds have been requested based on the percentages agreed upon. Estimated Completion Date: Fiscal Year 2024 Contact Person: Trey Wood, Finance Director Telephone: 706-795-2191 ext. 1023 Email: trey.wood@madison.k12.ga.us

Finding No.: 2023-002 Views of responsible officials and planned corrective actions: We agree with the finding. The College’s internal controls did not detect errors that the Banner system withdrawal report contained incomplete data therefore causing Title IV funds to not be returned within the required time frame. The College will revise existing Return to Title IV procedures to improve the collaboration between the Financial Aid and Admission Offices in identifying all students subject to Return to Title IV. On 04/25/2024, the Assistant Director of Assessment, Institutional Effectiveness & Research (AIER) began this process by instructing the Admission Office Team on the correct withdrawal codes to utilize. This change should ensure all appropriate students are identified in the withdrawal report. In addition to uniformly applying the proper withdrawal codes, additional reports will be utilized for data comparison purposes. Previously, only the withdrawal reports from our Banner system were utilized to identify students who had withdrawn from some or all of their classes. These reports were generated at the end of a term after grades were finalized. Moving forward, withdrawal reports generated from our Envisions Argos system will be used along with our Banner system reports to help ensure all students with some level of withdrawal status are identified. The Financial Aid Office is working with AIER to create a withdrawal report that contains the required data needed to identify students who have withdrawn from classes. The use of both the Banner report and Argos report will assist our office to identify students who have officially withdrawn from classes as well as those who have unofficially withdrawn from classes (i.e., students receiving all failing, technical failure, incomplete, or similar grades). The College will also strengthen their controls surrounding the timely review of student withdrawals to ensure Return of Title IV calculations are completed in a timely manner and refunds are returned to the Department of Education within the required 45-day timeframe. Records of 14 students (10 students identified in the ARGOS report from AIER together with the four students identified by FAO as official withdrawal students) have been reviewed and the Return to Title IV calculations have been completed for the eight students who did not complete 60% of the term. The process to return the funds to ED commenced the week of 05/13/24. After this process has been completed, corrections to our Award Year 2022-2023 FISAP report data will be submitted to COD. Contact Person: Gemma-Lee P. Santos, Financial Aid Coordinator Expected Completion Date: June 30, 2024

Finding Number: 2023‐001 Program Names/Assistance Listing Titles: Assistance Listing Numbers: Title I Grants to Local Educational Agencies 84.010 Supporting Effective Instruction State Grants 84.367 Student Support and Academic Enrichment Program 84.424 Education Stabilization Fund 84.425C Education Stabilization Fund 84.425D Education Stabilization Fund 84.425U Contact Person: Lynn Lang, Chief Financial Officer Anticipated Completion Date: June 30, 2024 Planned Corrective Action: The District will provide trainings on a regular basis for personnel responsible for grants management. The District will adhere to internal controls to ensure expenditures align to grant budgets.

Finding 2023-001: Procurement United States Department of Agriculture – Child Nutrition Cluster United States Department of Agriculture – Child and Adult Care Food Program Criteria: The non-federal entity must maintain records sufficient to detail the history of procurement. These records will include, but are not necessarily limited to, the following: Rational for the method of procurement, selection of contract type, contractor selection or rejection, and the basis for the contract price (2 CFR section 200.318(i)). The non-federal entity must also establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2 CFR section 200.303(a)). Condition: Records detailing which vendors were contacted, when they were contacted, and support for the rationale in choosing the vendor, is not documented. Questioned Costs: None Cause: Management did not maintain a detailed history of procurement and did not document a review process. Effect: There is no reasonable assurance that the Organization managed the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal award Recommendation: Purchasers should record, and keep on file, backup detailing which vendors were contacted, when they were contacted, support for the rationale in choosing the vendor. Management should implement a system of internal controls for this process. Planned Corrective Action: Shloma Weiss, Administrative Director, will establish and implement a process for documenting the procurement history and establishing a system of internal controls.

CORRECTIVE ACTION PLAN SEPTEMBER 30, 2023 REFERENCE: 2023-101 REPEAT FINDING REFERENCE: 2022-001 CFDA NUMBER: 10.558 – CHILD AND ADULT CARE FOOD PROGRAM U.S. DEPARTMENT OF AGRICULTURE - FOOD AND NUTRITION - 2023 PASSED THROUGH ARIZONA STATE DEPARTMENT OF EDUCATION GRANT NUMBER 6AZ300003 CLIENT RESPONSE AND CORRECTIVE ACTION PLAN We concur with the condition. 1. Name of the contact person responsible for corrective action: Deanna Barrowdale, Director 2. Corrective action planned: Corrective action planned will include technical assistance with staff on review of the menu/meal counts, creditable meal components for accuracy, dates received, and children in attendance and ratios. Director and Co-Director will carefully review the provider menus to ensure that menus are mathematically accurate. We will contact our providers via newsletter, website, annual training and correspondence of ongoing changes and reminders for compliance of credible mealtimes and reimbursement. 3. Anticipated completion date: FY 2024

Reporting Finding 2023-004 Federal Agency Name: Department of Health and Human Services Assistance Listing Number: 93.498 Program Name: COVDI-19 Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution Finding Summary: The calculation of lost revenues contained errors. Corrective Action Plan: The Authority has enhanced the internal controls to ensure underlying supporting records agree to the final reports submitted to HHS, including a review and approval by someone different than the individual inputting the report data. Responsible Individual: Priacilla Leatherman, VP of Finance Anticipated Completion Date: May 2024

Activities Allowed or Unallowed, Allowable Cost/Cost Principles, and Reporting Finding 2023-003 Federal Agency Name: Department of Health and Human Services Assistance Listing Number: 93.498 Program Name: COVDI-19 Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution Finding Summary: activities. The Authority claimed expenses attributable to coronavirus but did not reduce such expense by the amounts Medicare reimburses or is obligated to reimburse the Authority. Corrective Action Plan: The Authority has enhanced the internal controls to ensure underlying supporting records agree to the final reports submitted to HHS, including a review and approval by someone different than the individual inputting the report data. Responsible Individual: Priacilla Leatherman, VP of Finance Anticipated Completion Date: May 2024

Management concurs. The City will strengthen its policies and procedures related to federal award reporting to comply with reporting requirements.

Management concurs. The City will establish and enforce comprehensive subrecipient monitoring protocols. This includes developing standardized monitoring procedures, providing staff training on monitoring requirements, allocating sufficient resources for monitoring activities, and implementing mechanisms for regular review and documentation of monitoring efforts. By strengthening subreceipient monitoring practices, the City can mitigate risks, ensure compliance with grant requirements, and safeguard the effective utilization of grant funds.

Management concurs. The City will strengthen its policies and procedures related to federal award reporting to comply with reporting requirements.

Management concurs. The City will reinforce its procurement policies through regular training and clear communication to all relevant staff members. Specifically, the importance of using a contract routing sheet and obtaining all required signatures on contracts will be emphasized. Additionally, a periodic review process to ensure compliance with this policy will be implemented to help prevent future occurrences. The City will also take steps to review past contacts for similar issues and take corrective action when necessary.

Management concurs. The City will ensure responsible personnel has a clear understanding of the reporting guidance. The City will implement policies and procedures to monitor and review all reports prepared and submitted by the Grants Department or its designee.

The County will implement additional review procedures.

The original preparer will provide the report prior to submission to the United States Department of Treasury each quarter to another employee in the Administration office to cross reference totals from New World financial software system and information provided from the Auditor's Office. A written report on findings of this review will be submitted to the Auditor's Office by the due date of the submission to the United States Department of the Treasury.

American Rescue Plan Rural Distribution, Provider Relief Fund – Assistance Listing No. 93.498 Recommendation: We recommend that management implement more formal control process surrounding the use of federal awards where there is segregation between individuals identifying or proposing expenditures/uses of funds and an individual reviewing and approving that expenditure/use. We also recommend for any formal reporting required under federal awards that there be a formal review process where an individual is reviewing and approving the report who did not prepare the report. Documentation of review and approval should be retained in both cases. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action planned in response to finding: We will formalize policies and procedures around documenting review and approval for both use of grant funds, and related reporting. Name(s) of the contact person(s) responsible for corrective action: Lee Elbert, CFO Planned completion date for corrective action plan: June 30, 2024

Planned Corrective Action: Management concurs with the recommendation and will review the appropriate guidance and implement enhanced procedures for including secondary level of review. Contact person responsible for corrective action: Mariela Romo, Administrator & Michael Remensnyder, Controller Anticipated Completion Date: 8/31/2024

The Alamo Colleges District Student Financial Aid Office has collaborated with Internal Audit to put into place controls that ensure Alamo Colleges District Board policies are followed and that all Financial Aid staff are trained on the execution of those policies. Additional control reporting has been established to monitor compliance. The Board Policy F.2.4 has also been revised to clarify those expectations. Implementation Date: June 2024 Responsible Persons: Dr. Harold Whitis, District Director of Student Financial Aid

To ensure compliance with the provisions of the Gramm-Leach-Bliley Act (GLBA), specifically the requirement that the District’s written Enterprise Data Governance Standard (EDGS) includes a description of the use of a data inventory that includes how the institution is identifying and managing data, personnel, devices, systems and facilities, management has revised the EDGS to specify that a data inventory for each functional system domain shall take place annually under the direction of the Data Owners and the procedures performed and results shall be adequately documented. Implementation Date: August 2024 Responsible Persons: Phong Banh, District Director of Information Technology Services Patrick Vrba, Controller

Internal Control over Compliance (Repeat Finding 2022-001, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002, 2015-002, 2014-008) Name of contact person responsible for corrective action plan: Rhett R. Vertrees, Assistant Chief Financial Officer 2601 Enterprise Road, Reno NV 89512-1666 Phone: (775)784-3409, Fax: (775)784-1127 Email: rvertrees@nshe.nevada.edu Responses UNR agrees with the findings • Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place; The technical staff can only have the PeopleSoft Administrator (PSA) role in either development or production, but not both. There is an approval process in place to ensure that access is removed from either development or production when a PSA needs to be moved across to the other environment. This process became effective March 1, 2023. There is a quarterly security review of the PeopleSoft Administrator role in PeopleSoft. The first quarterly review was performed in FY16 Q1 and has been performed each quarter since. The reviews are documented and approved. There is a quarterly security review of the PeopleSoft Administrator activities in PeopleSoft. The first quarterly review was performed in FY22 Q4 and has been performed each quarter since. The reviews are documented and approved. There is a quarterly security review of the PeopleSoft Oracle database and user access. The first quarterly review was performed in FY20 Q2 and has been performed each quarter since. The reviews are documented and approved. • How compliance and performance will be measured and documented for future audit, management and performance review. Compliance and performance can be measured by the documented quarterly reviews. • Who will be responsible and may be held accountable in the future if repeat or similar observations are noted. The PeopleSoft Manager will be responsible for ensuring the corrective actions plans are implemented and followed. The Vice President of Information Technology will be accountable for the department’s compliance. UNLV agrees with the finding. • Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place; UNLV understands the importance of adequate segregation of duties within the PeopleSoft environments and applications. The PeopleSoft Administrator (PSA) position that is the subject of the finding is responsible for the installation, configuration, upgrades, and troubleshooting of all the application environments. The PeopleSoft Administrators are not programmers/developers, and their access to the production environments is periodically required to perform the needed activities required to provide timely support of the application within the scope of their job duties. UNLV has implemented the following controls to mitigate the risks associated with the elevated access required for the administrators to perform their required support activities. 1. UNLV has removed all persistent assignment of the PeopleSoft Administrator role from all PSAs in all environments. 2. The PeopleSoft Administrator role is temporarily assigned only when elevated actions are required. All assignments are of a limited duration and include a justification detailing the need and actions to be performed. All assignments trigger the follow actions: a. An immediate notification to the Director of Business Continuity & Resiliency and the Interim Senior Associate Vice Provost for Digital Strategy and Transformation. b. Removal is automatic but can be initiated by PSA if work is completed sooner than expected. c. All details around the assignment are captured in a tracking table. d. A review of all assignments and activities is performed monthly. 3. UNLV will continue to review access, activities, and assigned privileges monthly for the PeopleSoft Administrators. 4. UNLV will continue researching and implementing other control methods that may strengthen the segregation of duties or the monitoring capabilities that are available. • How compliance and performance will be measured and documented for future audit, management and performance review. The PeopleSoft Administrator role is no longer persistently assigned to the PSA position. It is only assigned upon request with the knowledge and approval of approving authorities. UNLV performs monthly reviews of the access and activities to determine if the PeopleSoft Administrators' activities align with the necessary support. Additionally, UNLV will continue to research other control methods that will address the segregation of duties while providing appropriate service and support. • Who will be responsible and may be held accountable in the future if repeat or similar observations are noted. The Director of Business Continuity & Resiliency will be responsible for performing the activity reviews and access needs of the PeopleSoft Administrators. The Director will complete the reviews and is also accountable if repeat or similar observations are noted. The Chief Information Security Officer will verify that reviews are conducted on a monthly basis per audit practices. SCS agrees with the findings • Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place; In addition to the compensating controls (a) to (d), that have been operating since prior to FY23 the segregation of PeopleSoft Administrators (PSA) is enforced through a “locked account” process. Only two employees have PSA access in both the Production and Development environment. Each employee can only have access to the Production or Development environment at any one time, i.e., the PSA account in the other environment remains locked. A JIRA ticket must be opened for an account to be unlocked. The request is approved by management and the account is unlocked by a member of the IT Security Team. The controls listed below should also mitigate the segregation of duties risk and support a review of “user activities” in the absence of an appropriate user activities audit log function. (a) STAT for PeopleSoft – Code control and internal modification tracking provides visibility over PSA activities that are processed via this tool. These object changes are reviewed and approved by the Director of Information and Application Services. (b) JIRA ‐ Change control management and project tracking software. Change requests and projects related to the PeopleSoft shared instance are tracked and approved. This would include user access modifications and system updates for example. (c) Security e‐mail alerts – The SCS security team are alerted via automated e‐mails when key events are triggered. For example, an elevated role is assigned to a user. (d) User Access Reviews – On an annual basis an independent user access review is performed incorporating SCS/SA privileged users and all shared instance security coordinators. • How compliance and performance will be measured and documented for future audit, management and performance review. The PeopleSoft Administrators will have persistent unlocked access to either the Production or Development environments only. Their corresponding account in the other environment will remain locked. In the event that access is needed to the locked environment, a ticket will be created requesting access which will document the rationale and approvals. In addition, PSA activities are monitored via the change control process through STAT for PeopleSoft. Object changes within the Production environment for example, are approved along with the associated workflows. • Who will be responsible and may be held accountable in the future if repeat or similar observations are noted. The SCS Director of Information and Application Services, and SCS Security Group are responsible for locking/unlocking PSA accounts. The SCS Security Group monitor PeopleSoft e-mail alerts. The IT Audit Manager is performing annual SCS/SA privileged user access reviews.

Tapestry will review the policies and procedures with staff and make necessary updates. The updated Purchasing & Procurement policy will outline a specific role in the Finance department that will champion CFR rules and ensure all vendors’ contracts are tracked, managed, and comply with suspended and debarment rules. This data will be stored on our SharePoint drive for reference and will be reviewed periodically. The anticipated completion date to correct the Finding 2023-005 is August 15th, 2024.