Corrective Action Plans

CASH MANAGEMENT Bluefield State University and West Virginia State University Assistance Listing Number 84.425J Bluefield State University (BSU) response Effective June 2024, BSU will draw down funds on appropriate expenditures that have already been disbursed to avoid any cash management violations. West Virginia State University (WVSU) response Currently all funds have been disbursed for HEERF awards P425E201113, P425F201736, and P425J200056. WVSU will reconcile the SEFA receipts and disbursements to internal data to locate the discrepancy and make the necessary corrections. Further, WVSU will review and update internal controls related to cash management rules to ensure compliance for drawdowns and disbursements.

ALLOWABILITY Department of Education (DOE) Assistance Listing Number COVID-19 84.425D, 84.425U The DOE plans to strengthen its internal controls by putting in place a review of procurement procedures prior to the Local Educational Agency (LEA) finalizing a purchase. This control will entail DOE working with LEAs to monitor their internal control procedures for procurement and testing these procedures randomly throughout the year. The questioned costs were first identified as stringing in the FY21 monitoring. Subsequently, there was a repeat finding with the same vendor in FY22 which raised additional questions. The LEA was required to do an additional training put on by the DOE to improve knowledge/procedures of WV Policy 8200. The DOE plans to address these issues by working with the LEA to move the expenses off federal monies. Along with working with the LEA, the DOE is working with the FBI, West Virginia State Police, and the Office of the Inspector General to investigate the spending and the vendor themselves.

REPORTING Department of Education (DOE) Assistance Listing Number COVID-19 84.425D, 84.425R 84.425U, 84.425V Effective February 2024, the DOE plans to continue to enforce the existing policies and procedures in place along with ensuring all required documentation is retained for review. The DOE plans to review the ESSER Reporting Workbook by testing several indicator values i.e. expenditure amounts, demographic data, etc. There will be an approval process put in place once the Local Education Agency (LEA) submits the reports to the state. This approval process will include reviewing the edit checks with the LEA prior to final certification of data. Certification data will include an email from the LEA approving the final copy of the ESSER Reporting Workbook.

TRANSPARENCY ACT REPORTING Department of Education (DOE) Assistance Listing Number COVID-19 84.425C, COVID-19 84.425D The West Virginia Department of Education, Office of Internal Operations have established internal controls and procedures over the FFATA reporting and were set in place as of July 1, 2023. These procedures involve a second reviewer of the monthly FFATA reports and a signature of approval prior to reporting each month.

INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – ENROLLMENT REPORTING Bluefield State University, Blueridge Community and Technical College, Concord University, Fairmont State University, Marshall University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia State University, West Virginia University, and West Virginia University at Parkersburg Assistance Listing Number 84.063, 84.268 Bluefield State University (BSU) response Effective February 2024, BSU will review the final enrollment report and approvals will be signed off to submit the report to NSC, the third party will consistently retain a copy within our institution. BSU will retain the record count reconciliation between the final enrollment report, text file, and the number of files received by the NSC, including documentation on how any rejected records were addressed. BSU will retain the details of the validation of the student’s information included in the report for accuracy. BSU will consistently retain the NSC automated emails used as a quality checklist regarding due dates, and receipt of the text files by the NSC. The availability and completion of the Error Resolution Report, as well as the confirmation of certification and processing by the NSC report, will all be retained. Blueridge Community and Technical College (BRCTC) response BRCTC asserts that the Enrollment Reporting process is accurate and reviewed in a timely manner; BRCTC further asserts that the emails from the National Student Clearinghouse are reviewed. As a result of this finding, BRCTC will expand its internal control to include documentation of reviews internally and externally with the NSC. This update to the internal control process was implemented in February 2024. Concord University (CU) response Effective February 2024, the internal controls at CU over the review and approval of the enrollment report sent to the National Student Clearinghouse (NSC) have been updated to include the following control measures in addition to the current controls on file: 1. CU has contacted NSC to begin generating the email response for the receipt of the .txt file when submitting it to the NSC FTP portal. This email notification will be kept on file with the other report documentation. 2. CU has implemented a new checklist sheet to accompany the report and its documentation to provide a clear and organized outline of required documents and to ensure these requirements are provided. This sheet will be part of the Spot Check Letter that is included in the current control method and signed off on by two members of the Registrar’s Office staff. 3. CU has also included in this new checklist a space to document the number of student files submitted to NSC and the number of files submitted to NSLDS as noted by NSC. The printout of this notation provided by NSC will also serve as documentation attached to the report. Fairmont State University (FSU) response Effective February 2024, FSU will retain a screen shot of the record count received by the NSC and will document any rejected records and what the plan is to address the rejected records. FSU will review a portion of the enrollment records being submitted before the submission is uploaded to NSC. This review will include detailed documentation, for a select few, of how we validated the student’s enrollment status. FSU will keep a spreadsheet of the students that are validated and the Banner screens that are used to do so.   Marshall University (MU) response Effective February 2024, MU will document that a record count reconciliation has been completed between the enrollment submission file and the number of files received by the NSC. MU will document and retain how any rejected records were addressed. MU will also document and retain records of the spot check validation for accuracy of student information included in the enrollment submission files. Mountwest Community and Technical College (MCTC) response Effective February 2024, a record count reconciliation between the final enrollment report and the number of files received by the National Student Clearinghouse (NSC) will be completed. MCTC will have the NSC query historical data and have it provided in Excel format. This will be a new source of data that will be collected and retained. This file will be generated after every rejection error report that is returned to the NSC. Each file will be saved, and a copy will be sent to the Registrar’s Office. Transmission history can also be saved by table, that can be exported to Excel. These files will also be saved, and a copy sent to the Registrar’s Office. For validation of student information, MCTC will being the process to collect data for the NSC submission first begin in audit mode. This will allow for review of the data to make any corrections that appear in the first stage of the report. Next, a second row of audits processed by the Associate Registrar will be conducted and confirm the data integrity. After this is complete, a copy of the final submission will be sent to the Registrar for final review and authorization. When approval is returned to the Associate Registrar, the data will be uploaded to the NSC. New River Community and Technical College (NRCTC) response Effective August 2024, the Registrar's office will run a random selection of 20 students from NSLDS to ensure students are correct in the clearinghouse, which will be done at least 50 days out from the time students were initially reported. The Registrar’s office will keep documentation of the sampled students. The Registrar’s office will keep records of how many files were accepted and how many were rejected. The Registrar’s office will provide documentation of validation of student information included in the enrollment report and retain emails by providing a file specially for NSC enrollment reporting emails received and sent regarding enrollment reporting. Emails to be retained are error resolution and confirmation of certification and processing by the NSC. The Registrar’s office will also create a checklist to follow and use as documentation to ensure all steps throughout the process are completed and checked off the list. Pierpont Community and Technical College (PCTC) response Effective February 2024, PCTC will complete the review of the file before it is submitted, not after it’s submitted. The Associate Registrar will pull the report prior to the due date to give those in the review process ample time to review the files before the Associate Registrar submits the document to the NSC. PCTC will keep track of the due date of submission, the date the text file was sent to the NSC, the date the error resolution report was received, the date it was sent back, and the date the report was certified by the NSC. A new tab in the worksheet in Teams has been created that will be completed each time an enrollment verification is submitted to the NSC. PCTC will note the actual enrollment count as of the time of the NSC submission, the enrollment count on the TXT file, the number of files received by the NSC, and the number of rejected files. This is to verify that all of the files intended to be submitted to the NSC were actually received by the NSC and processed. This information will be kept on each spreadsheet used to verify the information sent to the NSC. Shepherd University (SU) response Effective February 2024, SU will add a checklist to the existing reporting and retention structure that had already been established for Clearinghouse data transmission. The checklist will be completed with each transmission, organizing data retention efforts to ensure inclusion of the additional elements required.   West Liberty University (WLU) response To comply with internal control over the review and approval of the enrollment reporting to NSC, WLU will enhance their policies and procedures. The update of these policies and procedures will be effective February 2024 and carry forward into future academic years. WLU will ensure that enrollment reporting policies and procedures are compliant with the US DOE standards and retain evidence of the internal controls. Currently, WLU is reorganizing the processing of enrollment reporting from our IT System Administrator to our Enrollment Services Coordinator. This employee will add to the current policy a process by which a record count reconciliation will happen between the final enrollment report text file and the number of files received by NSC. There will also be documentation kept showing how many rejected records were addressed with each report. Proper documentation will also kept of a final review and approval signoff to submit the enrollment report to NSC. Lastly, WLU will create an email specific to enrollment reporting where all communication from NSC will be stored for auditing and record keeping purposes. West Virginia Northern Community College (WVNCC) response Effective February 2024, the enrollment reporting to the Clearinghouse (NSC) is being moved from the Registrar/Records office to the Institutional Research (PIER office). All reports including determination of reporting intervals per Clearinghouse and SFA guidelines, will be scheduled by the IR office with the Clearinghouse. The following items will be retained to match internal controls for each file sent to the Clearinghouse: 1) Retain internal emails or approval document regarding review and approval from two persons for file prior to sending to NSC 2) Retain verification of count of student record in file matching student enrollment at that time 3) Retain verification of record count with records received by NSC 4) Retain a spot check of students (approx. 8-10) from the file which were tested for accuracy including printout of where this was matched (usually SFAREGS time status page is printed) 5) Retain NSC Error Report for each file prior to resolution and document of resolution 6) Retain reminder email from NSC that the submission file is due 7) Retain initial txt file receipt email from NSC 8) Retain NSC posted error resolution report notification email 9) Retain NSC Completed Error Resolution report notification email 10) Retain NSC final processing email The following information for each file will also need maintained (this information is usually obtained from the NSC reporting page under the enrollment reporting link for approximately an 18 month time frame, header records on the files also show file generation date and term date information for the students reported). 1) Scheduled transmission date 2) File certification date 3) NSC received date 4) NSC processed date 5) Academic term the file is sent for 6) Submission type of the file (first of term, subsequent of term, graduate only, etc.) West Virginia State University (WVSU) response WVSU utilizes the National Student Clearinghouse (NSC) to update student’s enrollment and its effects on student’s direct loan and Pell statuses. Thorough edit checks of student data for each semester will be produced by IT on a regular basis. The Office of the Registrar, in coordination with Admissions, Dual Enrollment, and other contributors of student data, will make sure these errors are corrected. Special focus will be placed on resolving these errors before each enrollment file is produced. (initial data integrity, first check). On or around the 25th of each month, IT will produce the NSC enrollment file. Each time the file is produced, the file will be sent to the Registrar for review to ensure accuracy of the data being pulled from Banner. Registrar sends approval for upload to NSC. Emails from NSC, IT, and files with student checks to be retained. (process integrity, second check) The file will be uploaded to the NSC by IT, ensuring NSC received the appropriate number of records. The data will then be reviewed and any discrepancies in the data, when compared with past data, will be resolved in a timely manner. The NSC error report will be reviewed and any errors corrected. The NSC process makes sure these errors are resolved before the data is reported to the NSLDS, it is the responsibility of the Registrar to make sure these are resolved with accurate data. Emails from NSC, and screenshots of errors will be retained. (data integrity, third check) After resolution of errors, the NSC will perform a final review of data before sending to the NSLDS. This will be reported on the NSLDS Reporting tab of the Enrollment Reporting screen in the NSC website. If data is satisfactory, the submission will be marked with “Congrats. No Errors!” by the originator clearinghouse. The NSC sends emails whenever these items are updated. It is the responsibility of the Registrar to review and resolve any errors in a timely manner. Emails from NSC and screenshot of NSLDS reporting dashboard to be retained. (data integrity, fourth check) The enrollment data is then submitted to the NSLDS. After NSLDS reviews the data, any errors will be reported back through the NSC in the same manner as NSC errors. Resolution of these errors is of special importance and will be given top priority. The NSC sends emails whenever these items are updated. It is the responsibility of the registrar to review and resolve any errors in a timely manner. Emails from NSC and any error documentation to be retained. (data integrity, fifth check). These policies and procedures will be implemented in August 2024. West Virginia University (WVU) response WVU’s Registrar’s office reviews rejected records and takes appropriate action to clear the rejections. Many of these rejections require additional information from students, therefore resolution is based on student discretion in providing documentation. Effective February 2024, WVU will ensure that documentation of the submission record count and rejection follow up is maintained. West Virginia University at Parkersburg (WVU-P) response Effective February 2024, WVU-P will reconcile the record count of enrollment records processed by taking the following actions: 1. Highlighting the record count at the end of the Banner-generated enrollment report file as part of the spot-checking review process. 2. Screenshotting the number of files received by NSC once they acknowledge that the file has been received. 3. Retaining documentation to show that if for some reason the file count does not match, research was done to locate the reason for the discrepancy, and the discrepancy was either resolved or WVU-P is able to document why it could not be resolved. Records and Financial Aid are working together now to develop procedures to properly document the error resolution process. WVU-P will have this process in place by April 2024, in time for the new process to be fully implemented beginning with the Summer 2024 term. WVU-P will retain all documentation, including all emails sent by NSC throughout each enrollment reporting process, within a folder in a secure drive. The name of the folder will be the date that the enrollment report was sent to NSC.

INTERNAL CONTROLS OVER FINANCIAL REPORTING Pierpont Community and Technical College (PCTC) Assistance Listing Number 84.063, 84.268 Beginning October 2022, PCTC has performed the updated monthly reconciliation process that was originally to take place beginning July 1, 2022. Due to the loss of the Information Systems Specialist (ISS), PCTC failed to begin on the intended date. The DLSAS reports from COD are downloaded by the 10th of each month, as before, by the ISS. The reports are provided to the Assistant Director of Financial Aid (Asst.) and then reconciled to both Banner paid and Common Origination and Disbursement (COD). The Asst. takes screen captures of both Banner and COD for a monthly reconciliation of the Federal Pell Grant and DL programs. Screen captures are printed, and comparisons are made by the Asst. All necessary adjustments are performed to student accounts by the Asst. or Director of Financial Aid (Director) until balanced. Reports verifying reconciliation are then completed, initialed, and saved by the Asst. and then reviewed and signed by the Director for completion and accuracy. PCTC will maintain the documentation of the DLSAS statements each month and the reconciliation report along with evidence of said review. The completed reconciliation information files are in our shared drive. This process has been in place, ongoing and has been effectively followed since October 2022.

SPECIAL TESTS AND PROVISIONS – PERKINS LOAN RECORDKEEPING AND RECORD RETENTION Concord University, Marshall University, Shepherd University, West Liberty University, West Virginia School of Osteopathic Medicine, and West Virginia University Assistance Listing Number 84.038 Concord University (CU) response Due to changes in personnel, CU did not follow this regulation. CU will review ECSI’s report, specifically looking for instances of noncompliance and internal control breaches. This will be documented annually and will be effective August 2024. Marshall University (MU) response MU has regularly monitored the services provided by ECSI for accuracy and completeness throughout a 30-year relationship without significant issues. Additionally, during fiscal year 2023, MU worked closely with ECSI on the Department of Education’s government assignment of 837 Perkins loans going back as far as 1978. This process clearly involved several compliance requirements of this program and was completed with no compliance problems encountered. MU will document the review of ECSI’s annual audit going forward. Shepherd University (SU) response By April 2024, SU will develop and maintain a checklist that will be periodically reviewed and signed off related to this finding, specifically: Annually, SU will pull SOC reports along with any compliance audits for review of findings or areas of interest and will assess and determine any factors that may need further investigation or mitigation from SU. West Liberty University (WLU) response Effective February 2024, WLU’s CFO, Controller and Student Accounts Manager together will meet and review the most recent Title IV compliance audit. The meeting will be set using emails. Minutes and notes will be taken regarding items reviewed and conclusions reached and will retain documentation and all other relevant documentation will be retained. Any issues that arise will be dealt with accordingly. West Virginia School of Osteopathic Medicine (WVSOM) response Adequate due diligence was not performed to ensure that the third-party services, Educational Computer Systems, Inc. (ECSI) were following the requirements for the functions that they are performing for WVSOM. The third-party services Title IV compliance audit was obtained but was not signed off on as reviewed. A new procedure will be written with the following steps: 1) Accountant Senior in the Cashiers office will request the “Examination Report on Compliance with Title IV Programs” and the System and Organization Controls for Service Organizations: Controls Relevant to Security (SOC 2). The Accountant Senior will review the reports for compliance and sign off. 2) Accountant Senior will forward the reports to the Director of Finance. The reports will be reviewed for compliance and signed. 3) The Director of Finance will forward it to the Director of Accounting for submission with the audit. The new procedure will provide two reviews and sign-offs and are effective January 2024. West Virginia University (WVU) response WVU’s Student Financials Services (SFS) department receives the 3rd Party Servicer compliance reports annually and reviews these reports once received. WVU will maintain detailed meeting minutes to document the review of 3rd Party Servicer reports moving forward. The review of the report available for fiscal year 2024 was conducted on December 19, 2023 between members of Compliance and Training (CT) and Revenue Management (RM) teams. In this meeting, the following 3rd Party Servicer reports were discussed; report on controls at a service organization relevant to user entities’ internal control over financial reporting, SOC 2 report and examination report on compliance with Title IV programs. It was noted there were no findings in the reports. Regarding MPN’s, deferments and cancellations for Perkins loans, members of SFS are pursuing several areas of remediation to resolve the fiscal year 2023 finding. SFS personnel will review all open Perkins loans and inventory files to consolidate into one central location. All files will be reviewed for paper MPN’s, deferment and cancellations request and an inventory list will be attached to a central location for all Perkins records. Additionally, WVU is in the process of exploring liquidation of all Perkins loans currently held by the school. While SFS is committed to resolving the current issues regarding Perkins Recordkeeping, it should be noted that this commitment must be balanced with staff’s requirements to process student aid for current students that has been delayed numerous times due to FAFSA simplification delays.

SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE Bluefield State University, Blueridge Community & Technical College, Concord University, Mountwest Community and Technical College, Shepherd University, West Virginia Northern Community College, and West Virginia University at Parkersburg Assistance Listing Number 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.264, 93.342, 93.364 Bluefield State University (BSU) response BSU will submit the URL of their contract with their third-party servicer and cost information to the U.S. Department of Education for their publication in the Cash Management Contracts Database by Friday, February 23, 2024. BSU will also implement a detailed due diligence review over the fees assessed by the third-party servicer of Title IV credit balances. Blueridge Community & Technical College (BRCTC) response We acknowledge that BRCTC did not have internal controls in place to review the contract with our third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. By February 2024, documents will be requested and an annual due diligence review will be performed and documented of the third-party servicer contract and compliance audit as well as review of fees assessed by the third-party servicer. Concord University (CU) response CU agrees with this finding and due to changes in personnel, this regulation was not followed. CU will review and document the review of the Cash Management Database annually to ensure the link is posted. CU will review and document the review of other financial institutions charges compared against BankMobile’s fees annually. CU will annually review the servicer’s SOC report. CU will review BankMobile’s report, specifically looking for instances of noncompliance and internal control breaches. This will be documented annually. Mountwest Community and Technical College (MCTC) response Effective February 2024, MCTC will implement a review process to be conducted on an annual or monthly basis, as applicable, of all accounts opened with the Servicer during the specified timeframe. The "Activation & Preferences Report" available to management through the Servicers Administrator portal will be used to provide the data for review by management. The review process will consist of the following: • A request made of the servicer to provide a report of accounts opened with date/time stamp of consent to opening. Frequency: Monthly • Review of "Activation & Preferences Report" validated against Servicer "Accounts Opened" report. Frequency: Monthly • Generate a follow-up email to applicable students confirming the opening of the Servicer Account which will include an attachment of the Servicer "Terms and Conditions" and "Fee Schedules". Frequency: Monthly • Review the Servicers' Client Contract and Profile site for accuracy and completeness of information. Frequency: Annually • Review the Servicers' System and Organization Controls (SOC) and Compliance audits. Frequency: Annually • Management will incorporate as part of its "Due Diligence and Attestation" copies of comparable banking institution fee schedules that are date/time stamped to serve as evidence of review. Shepherd University (SU) response By April 2024, SU will develop and maintain a checklist that will be periodically reviewed and signed off related to this finding, specifically: Annually, SU will be submitting the URL to the Department of Education related to the contracts between SU and BankMobile, reviewing compliance audits and SOC reports for BankMobile, recording areas of risk, and noting ways to mitigate the potential risk moving forward. West Virginia Northern Community College (WVNCC) response Beginning June 2024, during the annual review meeting between WVNCC and BankMobile (the servicer that delivers Title IV credit balances to students), WVNCC will obtain a copy of the BankMobile compliance audit. This will be kept on file within the Business Office for reference if needed. In addition, the budget committee will review annual the fees charged by BankMobile and attempt to compare them to other providers of similar services. West Virginia University at Parkersburg (WVU-P) response WVU-P has submitted a URL to the US Department of Education of our contract and cost information with our third-party servicer. This submission should correct this portion of the finding although it was done after the end of the fiscal year under audit but serves to correct the finding in subsequent periods. WVU-P will ensure compliance with the remaining items noted by creating a written internal control policy requiring the following: • Verification of the required submission of the third-party contract with the Department of Education. • Documentation of a due diligence review of the fees assessed by the third-party servicer. • Obtain a copy of the annual compliance examination of the Title IV Programs. The 2022 report dated June 29, 2023, was received and reviewed by us for compliance with eligibility, systems, and internal controls, disbursements, Return of Title IV funds, and administrative requirements. • Obtain a list of students whose refunds were disbursed by the third-party vendor and cross-reference it with a list of the students processed and sent to the third-party vendor by WVU-P. For those students who elected to open a checking account, WVU-P will review supporting documentation to indicate that the student gave proper consent. These policies and procedures will be effective February 2024.

INTERNAL CONTROLS OVER CASH MANAGEMENT Bluefield State University, Fairmont State University, Mountwest Community and Technical College, and West Virginia Northern Community College Assistance Listing Number 84.007, 84.033, 84.063, 84.268 Bluefield State University (BSU) response By June 2024, BSU will ensure that if a drawdown approval occurs in person with the Director of Financial Aid, the approval signature will be obtained during the meeting. Fairmont State University (FSU) response Effective February 2023, FSU has added a second level review control and it was put into place to address the inadequate internal controls identified. Mountwest Community and Technical College (MCTC) response Effective February 2024, MCTC will make the appropriate effort to obtain "inked" approvals prior to initiating drawdown requests through G5/G6 to serve as proof of double verification. However, MCTC does note that single reviews are completed prior to any drawdown request as evident of the relationship between the requestor and initiator of the drawdown in G5/G6 to ensure accuracy and completeness. West Virginia Northern Community College (WVNCC) response Beginning April 1st, 2024, WVNCC will establish an electronic repository specifically designated for the retention of evidence that a review and approval of all drawdown requests occur. The repository will be reviewed internally on a quarterly basis by the CFO and any anomalies will immediately be brought to the attention of staff and resolved.

SPECIAL TESTS AND PROVISIONS – RETURN OF TITLE IV FUNDS Blueridge Community and Technical College, Bluefield State University, Fairmont State University, Mountwest Community & Technical College, Pierpont Community and Technical College, and West Virginia Northern Community College Assistance Listing Number 84.007, 84.033, 84.063, 84.268 Blueridge Community and Technical College (BRCTC) response BRCTC maintains a review procedure implemented in December 2023 over the entire Return of Title IV process; after this review, BRCTC will add a secondary review and sign off of those students whose aid does not have to be returned due to being outside the return window. Bluefield State University (BSU) response Effective February 2024, internal controls are in place to perform the Return of Title IV withdrawal and calculation ensuring records comply and that Return of Title IV Refunds are within the required time frame of 45 days. Controls include the review of “Permit to Withdraw” forms to ensure they are completed with all signatures of offices involved and the sign off of Return of Title IV calculations. All reviews will occur within the time frame of 45 days by the Financial Aid Director along with Business Office and Accounting. On February 8, 2024, the Director of Financial Aid spoke with the Registrar and the FA Counselors in separate meetings regarding the late submission of withdrawal forms and performing the Return of Title IV calculations. The Registrar understands they must submit the completed withdrawal forms to the Financial Aid office the same day they are completed by her office. When the forms are received by Financial Aid, a Return of Title IV will be completed within the same week of receipt and sent to the Business Office, if a Return of Title IV Aid is required. The Business Office will then review the calculations and perform the necessary repayment of Title IV Aid to the Department of Ed, utilizing the refund process through G5 within the required 45-day timeline. All adjustments to the students account will be made with in the same time frame.   Fairmont State University (FSU) response FSU has been identified as an institution that does not have adequate internal controls in place over the return of Title IV funds to prevent noncompliance. FSU has implemented the following Return of Title IV controls. Step by Step-Initial Review: 1. FSU (Information Systems Technician) performs all Return of Title IV calculations through FAA Access to CPS on-line. 2. In Banner, the funds are unapplied to the student’s account according to the Return of Title IV calculation from FAA Access. 3. Return completed Title IV Returns spreadsheet to the Accounting Assistant II that sent them to you with a ‘y’ in the column marked Aid Returned and the dollar amounts of any aid that was returned, and if a letter was mailed to the student and the dollar amount the student is responsible for paying. 4. In Banner comments are added to RHACOMM which include the date of withdraw(s), the type of funds that were returned and the amount of each fund that was returned. 5. If the student has to return Pell Grant (section 10 of the Title IV worksheet)- must send a letter then student has 45 days. Follow up according to federal regulations. 6. If there is a post withdraw disbursement, a letter is sent to the student. Follow up according to federal regulations. 7. FSU only completes the Return of Title IV calculation for students who have withdrawn outside of the withdraw window upon request. Secondary Review: FSU (Financial Aid Counselor) performs a second review of the Return of Title IV calculations through FAA Access to CPA on-line. This individual verified the data for the calculation has been entered correctly, the adjustments to the Banner system are accurate, and signs off on the Return to Title IV calculation worksheet. FSU has the following controls in place: Who performs the control? Finance Program Manager and Information Systems Technician. What are the reviewer’s qualifications? 3+ years’ experience. When or how often is the control performed? Weekly. What does the reviewer evaluate? Verifies the data for the calculation has been entered correctly, and the adjustments to the Banner system are accurate. What precision is encompassed? (How granular is the review? What are the criteria for investigation? What is the objective of the review?) By student. Additional investigation is needed when reviewer cannot produce the same results from the Return to Title IV form. Verify the accuracy of the calculation and to ensure the data being used for recalculation is accurate. What actions are taken or result? Redoing the recalculation worksheet after verifying the data from the system. Mountwest Career & Technical College (MCTC) response MCTC maintains email communication regarding the completion of Unofficial Return of Title IV Withdrawal Calculations each semester indicating timeliness of calculations. Sampling is done to check calculations and that will be made available in future audits, effective February 2024. MCTC will maintain the SFRWDRL reports for all withdrawals (both official and unofficial) run in “update” mode with notations to indicate timeliness, and to indicate that touch points along the calculation have been reviewed such as checking start and end dates in STVTERM and break days in SOATBRK as well as percentage calculated comparing Banner percentages to manually calculated percentages. Sampling of calculations will be compared to manual calculations using USDE supplied manual Return to Title IV worksheets to ensure that the Banner calculation of returns aligns with the manual calculation. Pierpont Community and Technical College (PCTC) response During the prior year’s audit, it was discovered that the prior processer was not completing the Return of Title IV properly. The processer left employment and Return of Title IV procedures were taught to the new processer and Asst. Director. This took place in November 2022. Unfortunately, the processer also did not complete two Return to Title IV before leaving and failed to communicate this information. It was not discovered until after the 45-day window for completion. Upon discovery, the two Return of Title IV were completed and PCTC have since followed the process and have had no additional similar findings. The process is functioning properly which will continue to be followed going forward. West Virginia Northern Community College (WVNCC) response Effective February 2024, for Return to Title IV review and processing in addition to the policies and procedures manual, these additional steps will be taken to maintain internal controls including maintaining email communication regarding the completion of Return of Title IV withdrawal calculations each semester indicating timeliness of calculations. Sampling will be done to check calculations and will be made available in future audits. WVNCC will continue to maintain in the Registrar’s office, the SFRWDRL reports for all withdrawals (both official and unofficial) run in “Update” mode with notations to indicate timeliness, and to indicate the calculations have been reviewed such as checking start and end dates in STVTERM and break days in SOATBRK as well as percentage calculated comparing Banner percentages to manually calculated percentages. The Financial Aid office will maintain a sampling of calculations that are compared to manual calculations using US Dept of Ed supplied manual Return of Title IV Worksheets to ensure that the Banner calculation of returns aligns with the manual calculation. Additionally for the Fall 2024 semester, a manual sampling of calculations will be reviewed to confirm that the calculations for the current award year are matching.

BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS Blue Ridge Community and Technical College, Bluefield State University, Concord University, Fairmont State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia State University, and West Virginia University at Parkersburg Assistance Listing Number 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.264, 93.342, 93.364 Effective February 2024, all West Virginia Higher Education institutions will ensure any new, modified or terminated access is defined and maintained to document the requestor, access rights modifications requested and approvals. Segregation of duties will be incorporated for the approval of any request. Processes for communication of terminated employees will be documented to ensure timely removal for any Banner user. Periodically, a review of user access will be performed to ensure access rights are consistent with current employees and job responsibilities. Documentation will be maintained for evidence of this review process. All Banner password settings will be configured to enhance overall security and privileged access will be granted to administrators by a unique identifier to ensure there will be no sharing of default accounts. Also, a formal documented change management process will be implemented to show authorization, testing and production approvals for any patches and releases of Banner application and supporting infrastructure to ensure the changes were properly authorized.

SPECIAL TESTS AND PROVISIONS – VERIFICATION Fairmont State University (FSU) Assistance Listing Number 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.264, 93.342, 93.364 Effective February 2024, controls were put into place to address the additional review of the verification compliance requirement process once the initial review was completed. A weekly review with a comprehensive monthly review will be implemented to ensure no students are missed through the review process.

SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY Blue Ridge Community and Technical College, Bluefield State University, Concord University, Fairmont State University, Marshall University, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia State University, and West Virginia University at Parkersburg Assistance Listing Number 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.264, 93.342, 93.364 Blue Ridge Community and Technical College (BRCTC) response Management acknowledges that BRCTC did not retain documentation for the review of the written information security policy during the audit year in question. Effective January 2024, documentation will be kept for the annual review of the written information security policy. Bluefield State University (BSU) response BSU will implement policies and procedures by May 2024 to ensure policies and procedures are in place to address the 7 elements and 8 safeguards that are in the Information Security Program. Concord University (CU) response A Complete Risk Assessment was conducted and completed in May 2023 using the ITIL standards. CU also completed the annual GLBA Risk Assessment using the WolfPac software from Wolf and Company in June 2023. This assessment is done in conjunction with Information Technology, Financial Aid, and the Business Office to evaluate the Controls established by NIST 800-171. In addition, CU uses the KnowBe4 product to do simulated phishing campaigns to test the effectiveness of the CyberSecurity Training. CU and every individual are assigned a Risk Score that can be compared to scores for the industry. Anyone that falls for a simulated phishing email is automatically enrolled in additional training. CU has also added the phish reporting function to email clients so everyone can easily report suspected phishing emails for analysis by IT. The GLBA Risk Assessment addresses the following: Employee training and management: All employees are required to complete two trainings each year. One on privacy focused on FERPA and the other on cybersecurity. Current training is being provided using the KnowBe4 software product. CU has reviewed the access to all college resources, especially Banner over the past few months, and made necessary changes to each employee’s access as needed. This review was completed by the Banner data custodians and supervisors. This allows us to ensure alignment of user privileges and job responsibilities. Access to all Banner data was approved by the appropriate data custodian. This is documented and archived in an IT account. All users are required to enter a unique username and password to gain access and are required to meet Microsoft’s password complexity standards. Another important safeguard is physical security. All tele-communication closets are secured by locks and only IT staff has access via a master key or badge. This also is true of the Data Center which houses our on-campus servers. Access to all of our campus services are secured by VPN tunnels. Trendmicro is used to protect client PCs. CU also uses bitlocker on mobile equipment used by employees to encrypt the data. Data that may be stored on mobile devices are required to be encrypted. CU is currently creating a data retention policy for the retention and disposal of data. This policy will meet the state and federal requirements for data retention. Information Systems, including network and software design, as well as, information processing, storage, transmission, disposal, and a complete risk assessment was conducted and completed in May 2023 using the ITIL standards. CU completed a risk assessment using the WolfPac software from Wolf and Company in June 2023. In addition, CU uses the KnowBe4 product to do simulated phishing campaigns to test the effectiveness of the cybersecurity training. The institution and every individual are assigned a risk score that can be compared to scores for the industry. Anyone that falls for a simulated phishing email is automatically enrolled in additional training. CU has also added the phish reporting function to email clients so everyone can easily report suspected phishing emails for analysis by IT. Detecting, preventing, and responding to attacks, intrusions, or other system failures. CU uses a Fortinet Fortigate Appliance to provide Intrusion Prevention System (IPS) Firewall, and Virtual Private Network (VPN) connections to campus. Regular software maintenance and patch management of network equipment is performed. Network patches are deployed in a test bed as they are released. If no issues are found, they are deployed to production network equipment. Systems are monitored weekly and required patches are first cleared with Enterprise Systems to ensure compatibility with Student Information System before production implementation. CU created the incident response plan and disaster recovery plan in 2022. CU partnered with CISA of Homeland Security to conduct weekly vulnerability scans using their Cyber Hygiene Services in 2022. CU also uses Nessus to do internal vulnerability scans on a monthly basis. CU is using these reports to make needed changes to network and server infrastructure to stay as protected as possible from threats. CU implemented multifactor factor authentication for all employees in 2022. Backups of student information system are facilitated by Oracle in our Oracle cloud environment using the Oracle database backup cloud service. Production backups are configured to retain 45 days of changes. CU conducts redundant nightly backups that will be stored on-campus for 365 day coverage and retention. CU also implemented immutable backups through ORACLE during 2023. Safeguards for each risk were identified. Safeguard for each risk were discussed and are shown in the Risk Assessment. CU identified two areas for improvement. Implementing data loss prevention in TrendMicro Apex 1 and blocking traffic from unfriendly nations. Implement and periodically review access controls. Access to Banner is reviewed annually by the data stewards and any unnecessary employee access is removed. Additionally, access is removed when employees leave the institution. CU conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. This is done as part of the GLBA risk assessment using WolfPac. CU encrypts customer information on the institution’s system and when it’s in transit. Bitlocker is used on university equipment to encrypt the entire computer hard drive. Security channels are used to transfer data when needed. A vpn tunnel and web access firewalls are used to access the Banner data in the Oracle Cloud Infrastructure (OCI). The databases are encrypted at rest and in-transit. Assess apps are developed by CU and internal and external vulnerability scans are conducted. CU also reviews system logs and uses well supported development frameworks and tools. CU implemented multi-factor authentication for anyone accessing customer information on the institution’s system. Multi-factor authentication is required of all employees before they can access CU resources off-site. The employee network is segmented on its own virtual local area network. CU disposes of customer information securely and purged online forms that are no longer needed, especially those that contain PII. Financial Aid recently destroyed old documents using an onsite shredding service after scanning the documents that needed to be retained. For equipment, CU removes hard drives before the equipment is recycled and destroys the drives. CU anticipates and evaluates changes to the information system or network. CU plans for changes to information systems and the network and incorporate appropriate measures to ensure both physical and data security. Banner upgrades and changes are tested by the Banner users group before they are placed into production. A log is maintained of authorized users’ activity and keep an eye out for unauthorized access. Banner currently provides this functionality on a limited basis with a full logging system to be delivered during the current year by Ellucian. Risk assessments of all NIST 800-171 controls are conducted annually using WolfPac. CU uses a continuous improvement model. This year, CU identified improvements we could make in data loss prevention. CU already uses Microsoft’s data loss prevention features, but determined CU could also use Trendmicro’s DLP feature to further lessen the likelihood that emails or files containing PII will be shared. The other improvement CU made was by blocking network traffic from designated countries outside the US. CU can’t block all countries besides the US because the needs of our international students must be met. Vulnerability scans are conducted externally by CISA of Homeland Security weekly and internal vulnerability scans are conducted monthly using NESSUS. Simulated phishing campaigns are run continuously throughout the year through the KnowBe4 software which provides an institution risk score along with the industry average for phish-prone comparison. Risk scores are also assigned to each employee. CU’s average phish-prone percentage is 4.9 compared to the industry 5.5%. The phish prone percentage for the last campaign is 3%. CU has the following policies and procedures which are reviewed by the IT Council and IT Security Council: • Acceptable Use of Information Technology Policy • Disaster Recovery • Incident Response • Information Security Policy • Wireless Network policy Third parties are required to sign a document as part of the contract signifying security compliance. Additionally, all third-party software is included in the vulnerability scans. Changes are determined and implemented based on the risk assessments and regular review of security information from external and internal sources by the IT Security Council. CU has a written Incident Response Procedure which became effective on March 8, 2022. The Chief Information Officer reports at least annually on the institution’s information security program. After reviewing the security plan in February in the Security Council Meeting, CU determined that adding a section on multifactor authentication was overlooked. CU does require and enforce MFA on all employees, but it is not documented in the plan. This will be added to the plan and approved at the next meeting. Fairmont State University (FSU) response A written program was developed in May 2023, management has reviewed and signed the documentation for the written information security program. The written program is effective January 2024. Marshall University (MU) response A regular review of each policy is being implemented per recommendations by our cybersecurity advisor in the 2023 GLBA Assessment Report. Information Technology (IT) policies and administrative procedures are being updated by the Marshall University IT Council (ITC). Once updated, they will be scheduled for an annual policy review as part of the IT activity wheel as a corrective action for this finding. In late June 2023, a GLBA Risk Assessment was conducted by an external cyber security advisor. Remediation of findings from this risk assessment is currently underway by a cross-functional team lead by IT. Priority is being placed on addressing updates to 14 CFR 314.4 which took effect in early June 2023. As a corrective action for this finding, the CISO revise the written information security program to reflect the latest updates to 14 CFR 314.4 New River Community and Technical College (NRCTC) response NRCTC’s Data Stewards will be reviewing and approving this information each spring and then sharing that approval with the President’s Cabinet so that it appears in the minutes as evidence for the next audit. NRCTC also developed GLBA Compliance Procedures which were implemented in January 2024. Pierpont Community and Technical College (PCTC) response PCTC’s Information Security Program is overseen and administered by the CIO of the Institution. The CIO will use all information that can be gathered to help protect the Institution. PCTC uses multiple vendors to help identify and mitigate internal and external risks. A third-party vendor is used to perform a yearly security audit. A weekly cyber hygiene assessment is provided to the Institution by CISA. A third-party vendor is used to patch and maintain all on-prem networking equipment to the latest patch levels where needed including firewalls and internal equipment. The following safeguards are used: a. Physical access to all sensitive information technology (IT) areas is locked down via either key or keycard access and follow the access to security controlled spaces policy. PCTC adheres to a least privileged access model for sensitive data. b. Random periodic checks are done on data inventory throughout the year. c. The system that houses all student systems and employee information is hosted on web-based systems and the connections are encrypted and secure. Email to outside parties that contain sensitive information is encrypted. The data security policy will be followed. d. PCTC does not use any in-house developed applications. e. Multi-factor authentication (MFA) will be turned on for email and all other SSO applications in the first quarter of 2024 for all internal employees. f. Any data stored electronically on physical media is disposed of using a third-party vendor that provides the Institution with a certificate of destruction and follows the Computer Disposal Policy. g. All PCTC systems and networks are periodically reviewed for changes. Any changes outside of a standard change (i.e. Windows updates), will be logged in the change control document. h. System logs and privileged access groups (i.e. domain admins, etc.) are routinely reviewed for inappropriate changes. PCTC uses the information from the yearly audit in conjunction with the weekly cyber hygiene report to test and monitor any remediations that have been deployed. PCTC is currently working on a formal policy committee approval process that will be implemented withing the first quarter of 2024. At this time, all IT policies will be formally accepted and followed. PCTC will have a service contract and/or business agreement in place with all outside vendors that will outline the terms and scope between the two entities. All information that is discovered from all audits, testing, scans, or other tools that the IT department deems necessary, will be used to remediate and/or help make changes to existing polices to help protect PCTC and all user’s data. Shepherd University (SU) response Joseph Dagg serves as the CIO/CISO, Director of IT Services and serves as the point of contact for all things data security related, including GLBA as the Privacy Officer. Effective February 2024, activities performed as normal operations include access controls being reviewed at minimum once per year internally. Additionally, access/purge processes are executed on a rolling basis for students per year. Inventory of data occurs at minimum once per year internally. Protocols adhere to internal processes approving access via Banner custodian group. All data is encrypted at all stages, including transit. No apps are developed by SU. MFA is active. Customer information is retained/disposed according to internal guidelines within IT Services of data. Changes are anticipated and regularly reviewed internally and externally with the aid of IT consultants and vendors to ensure our security posture. User logs are reviewed at a minimum of once per year internally. Internally, IT management meets every month to discuss security and additional processes that need accounted for in addition to monthly stand-up meetings to account for immediate agile changes. Internally, executive governance meetings occur at minimum annually to review existing policies and address security issues to forecast change. Internally, SU will be working with IT consultants and external vendors to participate in table top security exercises to test/validate internal procedures. Monthly and quarterly, Nessus scans are performed to assess risks and mitigation needs within network, adhering to the CISA and NIST protocols for data security. Executive governance staff, internal IT management, IT consultant and vendors work cohesively together to provide a pathway to improve our security posture. Effective immediately, IT Services will review all affiliated policies, procedures, and activities related to GLBA compliance on a quarterly basis. Results of these reviews and/or any corrective actions identified will be documented and retained through the IT ticketing system for future reference. West Liberty University (WLU) response WLU is active in evaluating the need and designing a procedure to ensure documentation relating to evidence of management reviews of user access to the WLU production network and our Banner financial system. The procedure will be complete by February 2024 and implemented immediately thereafter. It will include a minimum of two reviews per fiscal cycle. West Virginia Northern Community College (WVNCC) response The WVNCC IT Policies has been updated as of February 2024 to include the previous missing items of 1) designate the Director of IT to oversee and implement security programs and 2) periodic review schedule of access controls. West Virginia State University (WVSU) response WVSU concurs with the finding and has developed a plan of action to include the following: 1. Review and Identify Gaps: - Conduct a thorough review of the current Information Security Program (ISP) against the requirements outlined in 16 CFR 314.4 and identify specific elements that are missing or inadequately addressed in the existing ISP. 2. Develop a Remediation Plan: Based on the identified gaps and insights through discussions with management and experts, create a detailed remediation plan and clearly outline the steps required to address each missing element in the ISP, including timelines, responsibilities, and resources needed. 3. Update Information Security Program: Implement the remediation plan by updating the Information Security Program to incorporate all the required elements specified in 16 CFR 314.4 and ensure that the revised ISP reflects best practices and industry standards for information security. 4. Training and Awareness Programs: Conduct training sessions and awareness programs for WVSU faculty and staff involved in the management and implementation of the Information Security Program and emphasize the importance of compliance with regulatory standards and educate staff on their roles and responsibilities in maintaining information security. 5. Periodic Reviews and Audits: Establish a system for periodic internal reviews of the Information Security Program to ensure ongoing compliance and implement a feedback loop that allows for continuous improvement and adjustments to the ISP based on changing regulatory requirements and emerging threats. 6. Documentation and Reporting: Maintain comprehensive documentation of the updated Information Security Program, including the rationale for each inclusion and the corresponding actions taken. 7. Continuous Monitoring: Implement a continuous monitoring process to track the effectiveness of the updated ISP in real-time and utilize automated tools and regular risk assessments to identify and address any new vulnerabilities or compliance gaps promptly. 8. Communication and Transparency: Communicate the changes made to the Information Security Program transparently to all relevant stakeholders and foster a culture of openness and encourage reporting of any potential security issues or concerns. By following this plan of action, WVSU can implement the updated Information Security Program, and demonstrate a commitment to maintaining a robust and compliant information security posture by August 2024. West Virginia University at Parkersburg (WVU-P) response By March 29, 2024, WVU-P will implement a formal tracking program that will adequately document the review process of its Information Security Program. Review will occur the month of March for all sections of the Security Program by the designated responsible party and will repeat annually. Each section will be listed in a spreadsheet, shared with the appropriate responsible parties, along with the following details: section name, responsible party, last update date, last updated by, last review date, last reviewed by, and additional notes. All reviews will be tracked using this spreadsheet. Additionally, by March, 29, 2024, WVU-P will implement and enforce the following password settings for Banner accounts: ● Minimum password length of <x> ● Password complexity requirements (Upper, lowercase, numbers, and symbols required) ● History (last three passwords will be checked) ● Account lockout: 3 attempts, 30 minute lock out ● WVU-P currently utilizes unique accounts for privileged access and will continue to prohibit the sharing of default privileged accounts. By March 29, 2024, WVU-P will add internally developed applications to the annual formal review process. Application reviews will use the same process as Access Control and Information Security Policy reviews. Applications will be reviewed to identify which specific data sources are used, how they are used, and the potential impact of unauthorized access. Additionally, applications will be reviewed to ensure that industry standard security best practices are followed.

SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS Blue Ridge Community and Technical College, Bluefield State University, Fairmont State University, Marshall University, New River Community and Technical College, West Liberty University, West Virginia Northern Community College, West Virginia School of Osteopathic Medicine, and West Virginia University at Parkersburg Assistance Listing Number 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.264, 93.342, 93.364 Blue Ridge Community and Technical College (BRCTC) response BRCTC agrees with the auditor’s comments that the internal control process regarding the Satisfactory Academic Progress (SAP) Policy can be improved by maintaining documentation of an annual formal review of the SAP policy and its publication on the website, internal policy manuals and the student catalog. Effective January 2024, BRCTC’s website has been updated to appropriately reflect the SAP policy. Bluefield State University (BSU) response Effective January 2024, internal controls are in place to perform the Review of the Standards of Satisfactory Academic Progress Policy to comply with federal regulations 2-CFR 200.303, 34 CFR 668.16 (e) and 34 CFR 668.34. The current SAP policy was reviewed in June of 2023, but a signature was not maintained. The SAP policy will be reviewed annually prior to the new academic year that begins each August. The review will consist of the Director of Financial Aid, Chief Financial Officer and Provost reviewing all aspects of the current policy at first and then maintaining any changes annually along with retaining signatures of the annual review. The policies and procedures will be given a new review date each year to reflect the process.   Fairmont State University (FSU) response Effective January 2024, the following has been placed into the Satisfactory Academic Progress policy and will go into effect in Spring 2024 - Institutional Documentation Retention. Prior to the Satisfactory Academic Progress policy being applied to students at FSU, the Director will be responsible for the following: 1. Download the most current Satisfactory Academic Progress regulations from studentaid.gov. This documentation will be retained on the M drive under the appropriate aid year file folder for SAP. 2. Review, compare, and update the current Satisfactory Academic Progress policy at FSU with the most current federal regulations. The most current version of the policy will be signed off and dated by the Director of Financial Aid & Scholarship. This documentation will be retained on the M drive under the appropriate aid year file folder for SAP. 3. The Director of Financial Aid & Scholarships will provide any updates to the policy to the Information Systems Specialist by email in order for the Banner system to be updated with the updates. Email documentation will be retained on the M drive under the appropriate aid year file folder for SAP. 4. The Information Systems Specialist will update the Banner system in TEST. 5. The updates will be ran in TEST by running the ROPSAPR process for the future fall and future summer terms. 6. The TEST data will be reviewed and evaluated to ensure all policy updates have been captured and the students have been appropriately evaluated according to federal regulations. 7. The Information Systems Specialist will notify the Director of Financial Aid & Scholarships by email the status of the TEST system to determine if additional updates need to be made. 8. If the Director approves the data from the TEST system, they will notify the Information Systems Specialist by email that the updates are ready for production. Email documentation will be retained on the M drive under the appropriate aid year file folder for SAP. 9. Updates will be applied to the production system by the Information Systems Specialist and the ROPSAPR process will be run on all current students for evaluation. 10. The Information Systems Specialist will notify the Director of Financial Aid & Scholarships by email once the process is complete for one final review of the data to ensure all federal regulations are being met and the students have been evaluated accordingly. Email documentation will be retained on the M drive under the appropriate aid year file folder for SAP. 11. The Director of Financial Aid & Scholarships will sign off on the completed process by email to the Information Systems Specialist. Email documentation will be retained on the M drive under the appropriate aid year file folder for SAP. Marshall University (MU) response MU updated the website in February-March which included a review of SAP Policies and Procedures. MU did not update the Revision Date as there were no updates to Satisfactory Academic Progress federal regulations for the 2023-24 aid year. The policy did not change but was reviewed when updates were made to the website. This policy was updated and also added to the website. Effective February 2024, MU will document and retain all reviews and approvals for compliance with federal regulations. New River Community and Technical College (NRCTC) response NRCTC will continue to review policies and procedures at least once, and sometimes twice a year when the catalog is reviewed. NRCTC will continue doing this review and maintain documentation to ensure compliance with federal regulations. West Liberty University (WLU) response Effective January 2024, to comply with internal control over federal awards, WLU will ensure that SAP policies are compliant with the US DOE standards and retain evidence of the review before the SAP procedures are completed annually. If there are no changes, the policy will be approved to move forward. A signed sheet of the SAP policy approval will be retained in the office and an email of no updates will be sent to others in the Financial Aid Office. If changes are necessary, a financial aid committee would meet to make the appropriate updates. Once the policies and procedures are updated, a signed copy of the update will be retained in the FA Office and an email of the updates will be sent to the Financial Aid Office and communicated to all faculty, staff and students. West Virginia Northern Community College (WVNCC) response Effective December 2023, a new internal control process has been added to validate WVNCC’s processes (including SAP) with any changes to the Dept of Ed regulations, as available for the upcoming school year. WVNCC begins creating the new policy and procedure manual as the new year financial aid setup begins. The Director of Financial Aid will be creating a task force which meets two times per year to review the procedures. As WVNCC’s policy and procedure manual is a live working document, updates will be made as needed with a revision date denoted where applicable. WVNCC had an initial conversation with NASFAA on their policy and procedure information available and has created a sign off form to verify the review of the policy each academic year. This process is being implemented during the 2023-2024, prior to this year, as with the 2022-2023 documents, changes in regulations or college policy changes were made in the policy and procedure manual but may not have had a revision date as it done during the manual creation. This process will be fully implemented for the new 2024-2025 policy and procedure manual as it is being created. The new control will formalize this process, a review of applicable review is in process. West Virginia School of Osteopathic Medicine (WVSOM) response WVSOM did not have adequate internal controls in place surrounding the satisfactory academic policy (SAP) policy. A new SAP policy will be written and published to the public website to include reasonable standards for measuring whether eligible students are maintaining SAP in the educational program in our published SAP policy. The new policy will provide notification to the students of the results of an evaluation that impacts the students’ eligibility for title IV program funds. WVSOM will retain sufficient documentation that the procedures are performed and reviewed by the Financial Aid Director and a second review performed by the Associate Director of Financial Aid. The review will provide two signature sign-offs. West Virginia University at Parkersburg (WVU-P) response Financial Aid employees review all financial aid policies and procedures at minimum once per academic year. The Satisfactory Academic Progress (SAP) policy was reviewed and updated by financial aid staff throughout the spring and was approved by the Executive Vice President in June 2023, the updated SAP policy was forwarded to the President’s office to be filed and posted in the appropriate places, including online. WVU-P agrees that the updated and most recent SAP policy was not posted to the website prior to June 30, 2023. There was a college-wide policy review this spring, and the volume of that caused a delay in the policy’s posting. The resolution for this issue is to complete our policy review process earlier, and ensure if updates are necessary then the Marketing and Communications staff are aware of a deadline prior to June 30 to post the updated policy. WVU-P believes that there is sufficient documentation to show that the review of the SAP policy occurred within the academic year. The policies themselves have footnotes to document that Heather Skidmore reviewed the policies, and then the secondary review completed by Alice Harris before submission to the President. WVU-P will retain all communication that occurs related to future review processes to avoid a repeat finding on this issue.

SPECIAL TESTS AND PROVISIONS – NOTIFICATION OF CHANGES TO KEY PERSONNEL Division of Highways (the Division) Assistance Listing Number 20.933 Due to staff turnover, WVDOT recipient contact/key personnel had changed for some of the BUILD Transportation Discretionary Federal Grants. The USDOT representatives noted in the federal grants were not notified of these changes. The USDOT will be notified of all recent recipient contact/key personnel changes. Effective February 2024, when there are recipient changes, the USDOT will be notified within 30 days of the occurrence.

REPORTING Division of Highways (the Division) Assistance Listing Number 20.933 Effective January 2024, procedures have been put in place where pre-project performance management and quarterly progress reports on federal award projects will be compiled by WVDOT recipient/key personnel indicated in the BUILD Transportation Discretionary Federal Grants and submitted to USDOT by the 20th day after each calendar year quarter has closed as required by the grants. Prior reports that were not submitted to the USDOT as identified by the fiscal year 2023 audit will be sent.

REPORTING Workforce West Virginia (WWV) Assistance Listing Number 17.225 WWV updated reporting procedures in April 2023 and provided training to appropriate staff regarding the ETA 9050, 9052, and 9055 reports that did not have proper reviews documented prior to submission. That training is reflected in the reports selected after May 2023 that show proper documented reviews prior to submission.

INTERNAL CONTROLS OVER INFORMATION TECHNOLOGY Workforce West Virginia (WWV) Assistance Listing Number 17.225 WWV will create policies and procedures to be effective March 2024 which documents the process for periodic review of administrative access and user access for the ABPS and UI Tax systems. Appropriate staff will be trained once the policies and procedures are implemented. The wvOASIS SOC audit report for 2023 was completed in September 2023 and WVV is in the process of reviewing the report at this time. Disaster Recovery testing was conducted with WV Office of Technology and the mainframe vendor Ensono October 16-19, 2023.

SCHEDULE OF EXPENDITURES OF FEDERAL AWARDS Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective March 2024, DEP will develop and implement a standard operating procedure to track indirect costs. DEP will create a separate spreadsheet to track indirect costs to be included in the year ending SEFA reporting. DEP will attend training sessions conducted by the West Virginia Financial and Accounting Reporting Section to ensure all expenses are reported correctly on the SEFA. Additional training from accredited educational institutions will also be researched if necessary.

SUBRECIPIENT MONITORING Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective April 2024, DEP will prepare and implement a written risk assessment policy containing monitoring and compliance review standards. DEP will also prepare and implement written standard operating procedures to assist in measuring subrecipient risk.

REPORTING Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective March 2024, DEP will implement the following steps to correct the finding: 1. Review the Office of Surface Mining Federal Assistance Manual for information and instructions in regard to preparing the required financial reports for periodic and annual submissions. The information obtained from the Federal Assistance Manual will be compared to 2 CFR 200.328 and 329 to ensure all required information is included in the financial reports. 2. Review the Federal Notice of Grant Award documents to ensure that reporting period dates and the submitted reports reconcile and are in agreement. 3. Create and implement written narrative that agrees with the requirements set forth in the Federal Assistance Manual. 4. Develop and implement standard operating procedures to ensure timely, accurate reporting that involves a review and approval process prior to submission. 5. Create a checklist of required items, and signature lines to show that reviews/approvals have taken place.

TRANSPARENCY ACT REPORTING Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective February 2024, DEP will implement the following steps to correct the finding: 1. Review 2 CFR 200.303 and the Federal Funding Accountability and Transparency Act (2 CFR 170) to determine the requirements and proper procedures in submitting FFATA reports in FSRS. 2. Evaluate the agency’s current standard operating procedure for submitting FFATA reports and identify deficiencies that address accuracy, accountability, and segregation of duties in approving and submitting reports. 3. Update the agency’s current standard operating procedures to better meet the requirements 2 CFR 200.303 and the Federal Funding Accountability and Transparency Act (2 CFR 170) and addresses proper segregation of duties in reviewing, approving, and submitting FFATA reports.

TRANSPARENCY ACT REPORTING West Virginia Community Development Block Grant Program (CDBG) Assistance Listing Number 14.228 The CDBG program has experienced turnover in staff during the last year. While CDBG knows the FFATA report was submitted, a physical copy of this report could not be provided, and it cannot be verified if it was submitted on time. In the FSRS system, only the person who creates the original report can view, edit, and pull the actual report, and since the employee who was responsible for submitting this report is no longer with the agency, it cannot be determined when it was originally submitted. CAD staff have since recreated the report in the FSRS system so there is a copy of the report. To ensure this doesn't happen in the future, CAD staff has completed FFATA training for the personnel involved in the reporting process. CAD staff is creating a calendar with due dates for the programs reporting requirements to ensure the dates are not missed. Once the report is submitted in the FSRS system, staff is required to save a copy of the report in shared files. CAD is also looking to implement a system where a centralized person is responsible for submitting the FSRS reports to ensure all processes are completed and documents saved correctly.

TRANSPARENCY ACT REPORTING Department of Education (DOE) Assistance Listing Number 10.553, 10.555, 10.556, 10.559, 10.582 Setting up a process to comply with the FFATA reporting requires retrieving information from multiple systems. In addition, child nutrition reimbursements are more complex than grants that have a known subrecipient amount. Due to the complexity, DOE is relying on guidance from the USDA to complete reporting procedures. DOE is currently waiting to get answers to several questions that are preventing full development of a process. USDA is also working to help DOE find another state agency that can help with unanswered questions. A FFATA reporting process is anticipated to be in place by July 1, 2024.

SPECIAL TESTS AND PROVISIONS – ADP SYSTEM FOR SNAP Department of Health and Human Resources (DHHR) Assistance Listing Number 10.551, 10.561, COVID-19 10.561 Management within the DHHR, Bureau for Family Assistance (BFA), appreciates and shares the auditors’ concern with SNAP program integrity as it relates to the Recipient Automated Payment and Information Data System (RAPIDS) ADP system. The BFA notes that 7 CFR § 272.10 begins with, “(1) Purpose. All state agencies are required to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information concerning SNAP. Sufficient automation levels are those which result in effective programs or in cost effective reductions in errors and improvements in management efficiency, such as decreases in program administrative costs...” Within the RAPIDS ecosystem for SNAP administration, this automation includes data matching measures undertaken, in compliance with related federal rules as specified in 7 CFR § 272.8, 7 CFR § 272.16, etc., to automate the validation of client-provided, worker-input information while mitigating the additional administrative burden of secondary review for all worker interactions with a client’s case. Policy regarding state and federal data matching is laid out in Chapter 6 of the State’s Income Maintenance Manual (IMM) at https://dhhr.wv.gov/bfa/policyplans/Documents/ Binder4.pdf. The primary data exchange system detailed in IMM Chapter 6 that is applicable to SNAP is the Income and Eligibility Verification System (IEVS) required by 7 CFR § 272.8. Systems mandated federally for inclusion in the IEVS include those operated by WorkForce WV, the Internal Revenue Service (IRS), and the U.S. Social Security Administration (SSA). A variety of other sources may also be queried for the purpose of validating client-provided information entered into RAPIDS by a worker, including Veterans Affairs (VA), Beneficiary and Earnings Data Exchange (BENDEX), Beneficiary Earnings and Exchange Record System (BEERS), National Directory of New Hires, and Prisoner Matching with the Department of Corrections as well as the Federal Data Services Hub (FDSH). IMM Chapter 6, page 2 describes the purpose of data matching through the IEVS thusly: Information obtained through IEVS is used for the following purposes: • To verify the eligibility of the assistance group (AG). • To verify the proper amount of benefits. • To determine if the AG received benefits to which it was not entitled. • To obtain information for use in criminal or civil prosecution based on receipt of benefits to which the AG was not entitled. IMM Chapter 6, pages 2-3 further detail the points at which a match with the IEVS must take place: A data exchange in the eligibility system occurs: • When a new case is created; • When a new person is added to a benefit; • When a person’s demographic information is changed; and, • On a periodic basis for all individuals in the eligibility system, depending on the type of benefit being received. Requirements for independent verification of information when automated data matches fail or report a discrepancy with client-provided, worker-input information are spelled out in IMM 6.4.4. The BFA believes that these automations, while perhaps not foolproof, are in keeping with both the word and intent of 7 CFR § 272.10, 7 CFR § 272.8, 7 CFR § 272.16, etc., which aim to automate processes in order to reduce administrative burden and associated costs, such as those that would be associated with a secondary review of all worker interactions with a client’s case. Furthermore, page 4-10.551-9 of the Compliance Supplement 2023, which lays out the suggested audit procedures for this topic, recommends the use of the USDA-FNS SNAP System Integrity Review Tool (SIRT) to ensure that the State’s ADP system is in alignment with USDA-FNS requirements and ensure that automated processes within RAPIDS continue to comport with federal requirements for ADP systems. To our knowledge, the auditors neither utilized that tool to guide their work nor requested verification from the State that the SIRT had been completed and previously employed. To support this response, management advocates a review of the SIRT submitted to FNS on October 26, 2023 in preparation for the go-live stage of the West Virginia People’s Access to Help (WV PATH) Family Assistance pilot program; as there is no significant difference in system functionality between the Family Assistance module of WV PATH and the existing eRAPIDS system, the responses/comments/replies from both FNS and the State that are included in this version of the SIRT generally apply both to eRAPIDS and to PATH. Throughout 2023, the BFA Division of Performance and Quality Improvement continued its ongoing SNAP case reviews, as well as its efforts to report compliance with monthly requirements for expanded supervisor case reviews conducted and tracked through the Rushmore case review system, as mandated in a December 7, 2022 memorandum to supervisors and made available to the auditors last year. Furthermore, the BFA developed additional worker training, including the reinstatement of face-to-face Statewide Payment Accuracy Conferences (held throughout the summer of 2023), with the aim to ensure that client information is accurately captured in RAPIDS so the APD can perform its automated functions with integrity.