Corrective Action Plans

BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS Blue Ridge Community and Technical College, Bluefield State University, Concord University, Fairmont State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia State University, and West Virginia University at Parkersburg Assistance Listing Number 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.264, 93.342, 93.364 Effective February 2024, all West Virginia Higher Education institutions will ensure any new, modified or terminated access is defined and maintained to document the requestor, access rights modifications requested and approvals. Segregation of duties will be incorporated for the approval of any request. Processes for communication of terminated employees will be documented to ensure timely removal for any Banner user. Periodically, a review of user access will be performed to ensure access rights are consistent with current employees and job responsibilities. Documentation will be maintained for evidence of this review process. All Banner password settings will be configured to enhance overall security and privileged access will be granted to administrators by a unique identifier to ensure there will be no sharing of default accounts. Also, a formal documented change management process will be implemented to show authorization, testing and production approvals for any patches and releases of Banner application and supporting infrastructure to ensure the changes were properly authorized.

SPECIAL TESTS AND PROVISIONS – VERIFICATION Fairmont State University (FSU) Assistance Listing Number 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.264, 93.342, 93.364 Effective February 2024, controls were put into place to address the additional review of the verification compliance requirement process once the initial review was completed. A weekly review with a comprehensive monthly review will be implemented to ensure no students are missed through the review process.

SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY Blue Ridge Community and Technical College, Bluefield State University, Concord University, Fairmont State University, Marshall University, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia State University, and West Virginia University at Parkersburg Assistance Listing Number 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.264, 93.342, 93.364 Blue Ridge Community and Technical College (BRCTC) response Management acknowledges that BRCTC did not retain documentation for the review of the written information security policy during the audit year in question. Effective January 2024, documentation will be kept for the annual review of the written information security policy. Bluefield State University (BSU) response BSU will implement policies and procedures by May 2024 to ensure policies and procedures are in place to address the 7 elements and 8 safeguards that are in the Information Security Program. Concord University (CU) response A Complete Risk Assessment was conducted and completed in May 2023 using the ITIL standards. CU also completed the annual GLBA Risk Assessment using the WolfPac software from Wolf and Company in June 2023. This assessment is done in conjunction with Information Technology, Financial Aid, and the Business Office to evaluate the Controls established by NIST 800-171. In addition, CU uses the KnowBe4 product to do simulated phishing campaigns to test the effectiveness of the CyberSecurity Training. CU and every individual are assigned a Risk Score that can be compared to scores for the industry. Anyone that falls for a simulated phishing email is automatically enrolled in additional training. CU has also added the phish reporting function to email clients so everyone can easily report suspected phishing emails for analysis by IT. The GLBA Risk Assessment addresses the following: Employee training and management: All employees are required to complete two trainings each year. One on privacy focused on FERPA and the other on cybersecurity. Current training is being provided using the KnowBe4 software product. CU has reviewed the access to all college resources, especially Banner over the past few months, and made necessary changes to each employee’s access as needed. This review was completed by the Banner data custodians and supervisors. This allows us to ensure alignment of user privileges and job responsibilities. Access to all Banner data was approved by the appropriate data custodian. This is documented and archived in an IT account. All users are required to enter a unique username and password to gain access and are required to meet Microsoft’s password complexity standards. Another important safeguard is physical security. All tele-communication closets are secured by locks and only IT staff has access via a master key or badge. This also is true of the Data Center which houses our on-campus servers. Access to all of our campus services are secured by VPN tunnels. Trendmicro is used to protect client PCs. CU also uses bitlocker on mobile equipment used by employees to encrypt the data. Data that may be stored on mobile devices are required to be encrypted. CU is currently creating a data retention policy for the retention and disposal of data. This policy will meet the state and federal requirements for data retention. Information Systems, including network and software design, as well as, information processing, storage, transmission, disposal, and a complete risk assessment was conducted and completed in May 2023 using the ITIL standards. CU completed a risk assessment using the WolfPac software from Wolf and Company in June 2023. In addition, CU uses the KnowBe4 product to do simulated phishing campaigns to test the effectiveness of the cybersecurity training. The institution and every individual are assigned a risk score that can be compared to scores for the industry. Anyone that falls for a simulated phishing email is automatically enrolled in additional training. CU has also added the phish reporting function to email clients so everyone can easily report suspected phishing emails for analysis by IT. Detecting, preventing, and responding to attacks, intrusions, or other system failures. CU uses a Fortinet Fortigate Appliance to provide Intrusion Prevention System (IPS) Firewall, and Virtual Private Network (VPN) connections to campus. Regular software maintenance and patch management of network equipment is performed. Network patches are deployed in a test bed as they are released. If no issues are found, they are deployed to production network equipment. Systems are monitored weekly and required patches are first cleared with Enterprise Systems to ensure compatibility with Student Information System before production implementation. CU created the incident response plan and disaster recovery plan in 2022. CU partnered with CISA of Homeland Security to conduct weekly vulnerability scans using their Cyber Hygiene Services in 2022. CU also uses Nessus to do internal vulnerability scans on a monthly basis. CU is using these reports to make needed changes to network and server infrastructure to stay as protected as possible from threats. CU implemented multifactor factor authentication for all employees in 2022. Backups of student information system are facilitated by Oracle in our Oracle cloud environment using the Oracle database backup cloud service. Production backups are configured to retain 45 days of changes. CU conducts redundant nightly backups that will be stored on-campus for 365 day coverage and retention. CU also implemented immutable backups through ORACLE during 2023. Safeguards for each risk were identified. Safeguard for each risk were discussed and are shown in the Risk Assessment. CU identified two areas for improvement. Implementing data loss prevention in TrendMicro Apex 1 and blocking traffic from unfriendly nations. Implement and periodically review access controls. Access to Banner is reviewed annually by the data stewards and any unnecessary employee access is removed. Additionally, access is removed when employees leave the institution. CU conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. This is done as part of the GLBA risk assessment using WolfPac. CU encrypts customer information on the institution’s system and when it’s in transit. Bitlocker is used on university equipment to encrypt the entire computer hard drive. Security channels are used to transfer data when needed. A vpn tunnel and web access firewalls are used to access the Banner data in the Oracle Cloud Infrastructure (OCI). The databases are encrypted at rest and in-transit. Assess apps are developed by CU and internal and external vulnerability scans are conducted. CU also reviews system logs and uses well supported development frameworks and tools. CU implemented multi-factor authentication for anyone accessing customer information on the institution’s system. Multi-factor authentication is required of all employees before they can access CU resources off-site. The employee network is segmented on its own virtual local area network. CU disposes of customer information securely and purged online forms that are no longer needed, especially those that contain PII. Financial Aid recently destroyed old documents using an onsite shredding service after scanning the documents that needed to be retained. For equipment, CU removes hard drives before the equipment is recycled and destroys the drives. CU anticipates and evaluates changes to the information system or network. CU plans for changes to information systems and the network and incorporate appropriate measures to ensure both physical and data security. Banner upgrades and changes are tested by the Banner users group before they are placed into production. A log is maintained of authorized users’ activity and keep an eye out for unauthorized access. Banner currently provides this functionality on a limited basis with a full logging system to be delivered during the current year by Ellucian. Risk assessments of all NIST 800-171 controls are conducted annually using WolfPac. CU uses a continuous improvement model. This year, CU identified improvements we could make in data loss prevention. CU already uses Microsoft’s data loss prevention features, but determined CU could also use Trendmicro’s DLP feature to further lessen the likelihood that emails or files containing PII will be shared. The other improvement CU made was by blocking network traffic from designated countries outside the US. CU can’t block all countries besides the US because the needs of our international students must be met. Vulnerability scans are conducted externally by CISA of Homeland Security weekly and internal vulnerability scans are conducted monthly using NESSUS. Simulated phishing campaigns are run continuously throughout the year through the KnowBe4 software which provides an institution risk score along with the industry average for phish-prone comparison. Risk scores are also assigned to each employee. CU’s average phish-prone percentage is 4.9 compared to the industry 5.5%. The phish prone percentage for the last campaign is 3%. CU has the following policies and procedures which are reviewed by the IT Council and IT Security Council: • Acceptable Use of Information Technology Policy • Disaster Recovery • Incident Response • Information Security Policy • Wireless Network policy Third parties are required to sign a document as part of the contract signifying security compliance. Additionally, all third-party software is included in the vulnerability scans. Changes are determined and implemented based on the risk assessments and regular review of security information from external and internal sources by the IT Security Council. CU has a written Incident Response Procedure which became effective on March 8, 2022. The Chief Information Officer reports at least annually on the institution’s information security program. After reviewing the security plan in February in the Security Council Meeting, CU determined that adding a section on multifactor authentication was overlooked. CU does require and enforce MFA on all employees, but it is not documented in the plan. This will be added to the plan and approved at the next meeting. Fairmont State University (FSU) response A written program was developed in May 2023, management has reviewed and signed the documentation for the written information security program. The written program is effective January 2024. Marshall University (MU) response A regular review of each policy is being implemented per recommendations by our cybersecurity advisor in the 2023 GLBA Assessment Report. Information Technology (IT) policies and administrative procedures are being updated by the Marshall University IT Council (ITC). Once updated, they will be scheduled for an annual policy review as part of the IT activity wheel as a corrective action for this finding. In late June 2023, a GLBA Risk Assessment was conducted by an external cyber security advisor. Remediation of findings from this risk assessment is currently underway by a cross-functional team lead by IT. Priority is being placed on addressing updates to 14 CFR 314.4 which took effect in early June 2023. As a corrective action for this finding, the CISO revise the written information security program to reflect the latest updates to 14 CFR 314.4 New River Community and Technical College (NRCTC) response NRCTC’s Data Stewards will be reviewing and approving this information each spring and then sharing that approval with the President’s Cabinet so that it appears in the minutes as evidence for the next audit. NRCTC also developed GLBA Compliance Procedures which were implemented in January 2024. Pierpont Community and Technical College (PCTC) response PCTC’s Information Security Program is overseen and administered by the CIO of the Institution. The CIO will use all information that can be gathered to help protect the Institution. PCTC uses multiple vendors to help identify and mitigate internal and external risks. A third-party vendor is used to perform a yearly security audit. A weekly cyber hygiene assessment is provided to the Institution by CISA. A third-party vendor is used to patch and maintain all on-prem networking equipment to the latest patch levels where needed including firewalls and internal equipment. The following safeguards are used: a. Physical access to all sensitive information technology (IT) areas is locked down via either key or keycard access and follow the access to security controlled spaces policy. PCTC adheres to a least privileged access model for sensitive data. b. Random periodic checks are done on data inventory throughout the year. c. The system that houses all student systems and employee information is hosted on web-based systems and the connections are encrypted and secure. Email to outside parties that contain sensitive information is encrypted. The data security policy will be followed. d. PCTC does not use any in-house developed applications. e. Multi-factor authentication (MFA) will be turned on for email and all other SSO applications in the first quarter of 2024 for all internal employees. f. Any data stored electronically on physical media is disposed of using a third-party vendor that provides the Institution with a certificate of destruction and follows the Computer Disposal Policy. g. All PCTC systems and networks are periodically reviewed for changes. Any changes outside of a standard change (i.e. Windows updates), will be logged in the change control document. h. System logs and privileged access groups (i.e. domain admins, etc.) are routinely reviewed for inappropriate changes. PCTC uses the information from the yearly audit in conjunction with the weekly cyber hygiene report to test and monitor any remediations that have been deployed. PCTC is currently working on a formal policy committee approval process that will be implemented withing the first quarter of 2024. At this time, all IT policies will be formally accepted and followed. PCTC will have a service contract and/or business agreement in place with all outside vendors that will outline the terms and scope between the two entities. All information that is discovered from all audits, testing, scans, or other tools that the IT department deems necessary, will be used to remediate and/or help make changes to existing polices to help protect PCTC and all user’s data. Shepherd University (SU) response Joseph Dagg serves as the CIO/CISO, Director of IT Services and serves as the point of contact for all things data security related, including GLBA as the Privacy Officer. Effective February 2024, activities performed as normal operations include access controls being reviewed at minimum once per year internally. Additionally, access/purge processes are executed on a rolling basis for students per year. Inventory of data occurs at minimum once per year internally. Protocols adhere to internal processes approving access via Banner custodian group. All data is encrypted at all stages, including transit. No apps are developed by SU. MFA is active. Customer information is retained/disposed according to internal guidelines within IT Services of data. Changes are anticipated and regularly reviewed internally and externally with the aid of IT consultants and vendors to ensure our security posture. User logs are reviewed at a minimum of once per year internally. Internally, IT management meets every month to discuss security and additional processes that need accounted for in addition to monthly stand-up meetings to account for immediate agile changes. Internally, executive governance meetings occur at minimum annually to review existing policies and address security issues to forecast change. Internally, SU will be working with IT consultants and external vendors to participate in table top security exercises to test/validate internal procedures. Monthly and quarterly, Nessus scans are performed to assess risks and mitigation needs within network, adhering to the CISA and NIST protocols for data security. Executive governance staff, internal IT management, IT consultant and vendors work cohesively together to provide a pathway to improve our security posture. Effective immediately, IT Services will review all affiliated policies, procedures, and activities related to GLBA compliance on a quarterly basis. Results of these reviews and/or any corrective actions identified will be documented and retained through the IT ticketing system for future reference. West Liberty University (WLU) response WLU is active in evaluating the need and designing a procedure to ensure documentation relating to evidence of management reviews of user access to the WLU production network and our Banner financial system. The procedure will be complete by February 2024 and implemented immediately thereafter. It will include a minimum of two reviews per fiscal cycle. West Virginia Northern Community College (WVNCC) response The WVNCC IT Policies has been updated as of February 2024 to include the previous missing items of 1) designate the Director of IT to oversee and implement security programs and 2) periodic review schedule of access controls. West Virginia State University (WVSU) response WVSU concurs with the finding and has developed a plan of action to include the following: 1. Review and Identify Gaps: - Conduct a thorough review of the current Information Security Program (ISP) against the requirements outlined in 16 CFR 314.4 and identify specific elements that are missing or inadequately addressed in the existing ISP. 2. Develop a Remediation Plan: Based on the identified gaps and insights through discussions with management and experts, create a detailed remediation plan and clearly outline the steps required to address each missing element in the ISP, including timelines, responsibilities, and resources needed. 3. Update Information Security Program: Implement the remediation plan by updating the Information Security Program to incorporate all the required elements specified in 16 CFR 314.4 and ensure that the revised ISP reflects best practices and industry standards for information security. 4. Training and Awareness Programs: Conduct training sessions and awareness programs for WVSU faculty and staff involved in the management and implementation of the Information Security Program and emphasize the importance of compliance with regulatory standards and educate staff on their roles and responsibilities in maintaining information security. 5. Periodic Reviews and Audits: Establish a system for periodic internal reviews of the Information Security Program to ensure ongoing compliance and implement a feedback loop that allows for continuous improvement and adjustments to the ISP based on changing regulatory requirements and emerging threats. 6. Documentation and Reporting: Maintain comprehensive documentation of the updated Information Security Program, including the rationale for each inclusion and the corresponding actions taken. 7. Continuous Monitoring: Implement a continuous monitoring process to track the effectiveness of the updated ISP in real-time and utilize automated tools and regular risk assessments to identify and address any new vulnerabilities or compliance gaps promptly. 8. Communication and Transparency: Communicate the changes made to the Information Security Program transparently to all relevant stakeholders and foster a culture of openness and encourage reporting of any potential security issues or concerns. By following this plan of action, WVSU can implement the updated Information Security Program, and demonstrate a commitment to maintaining a robust and compliant information security posture by August 2024. West Virginia University at Parkersburg (WVU-P) response By March 29, 2024, WVU-P will implement a formal tracking program that will adequately document the review process of its Information Security Program. Review will occur the month of March for all sections of the Security Program by the designated responsible party and will repeat annually. Each section will be listed in a spreadsheet, shared with the appropriate responsible parties, along with the following details: section name, responsible party, last update date, last updated by, last review date, last reviewed by, and additional notes. All reviews will be tracked using this spreadsheet. Additionally, by March, 29, 2024, WVU-P will implement and enforce the following password settings for Banner accounts: ● Minimum password length of <x> ● Password complexity requirements (Upper, lowercase, numbers, and symbols required) ● History (last three passwords will be checked) ● Account lockout: 3 attempts, 30 minute lock out ● WVU-P currently utilizes unique accounts for privileged access and will continue to prohibit the sharing of default privileged accounts. By March 29, 2024, WVU-P will add internally developed applications to the annual formal review process. Application reviews will use the same process as Access Control and Information Security Policy reviews. Applications will be reviewed to identify which specific data sources are used, how they are used, and the potential impact of unauthorized access. Additionally, applications will be reviewed to ensure that industry standard security best practices are followed.

SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS Blue Ridge Community and Technical College, Bluefield State University, Fairmont State University, Marshall University, New River Community and Technical College, West Liberty University, West Virginia Northern Community College, West Virginia School of Osteopathic Medicine, and West Virginia University at Parkersburg Assistance Listing Number 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.264, 93.342, 93.364 Blue Ridge Community and Technical College (BRCTC) response BRCTC agrees with the auditor’s comments that the internal control process regarding the Satisfactory Academic Progress (SAP) Policy can be improved by maintaining documentation of an annual formal review of the SAP policy and its publication on the website, internal policy manuals and the student catalog. Effective January 2024, BRCTC’s website has been updated to appropriately reflect the SAP policy. Bluefield State University (BSU) response Effective January 2024, internal controls are in place to perform the Review of the Standards of Satisfactory Academic Progress Policy to comply with federal regulations 2-CFR 200.303, 34 CFR 668.16 (e) and 34 CFR 668.34. The current SAP policy was reviewed in June of 2023, but a signature was not maintained. The SAP policy will be reviewed annually prior to the new academic year that begins each August. The review will consist of the Director of Financial Aid, Chief Financial Officer and Provost reviewing all aspects of the current policy at first and then maintaining any changes annually along with retaining signatures of the annual review. The policies and procedures will be given a new review date each year to reflect the process.   Fairmont State University (FSU) response Effective January 2024, the following has been placed into the Satisfactory Academic Progress policy and will go into effect in Spring 2024 - Institutional Documentation Retention. Prior to the Satisfactory Academic Progress policy being applied to students at FSU, the Director will be responsible for the following: 1. Download the most current Satisfactory Academic Progress regulations from studentaid.gov. This documentation will be retained on the M drive under the appropriate aid year file folder for SAP. 2. Review, compare, and update the current Satisfactory Academic Progress policy at FSU with the most current federal regulations. The most current version of the policy will be signed off and dated by the Director of Financial Aid & Scholarship. This documentation will be retained on the M drive under the appropriate aid year file folder for SAP. 3. The Director of Financial Aid & Scholarships will provide any updates to the policy to the Information Systems Specialist by email in order for the Banner system to be updated with the updates. Email documentation will be retained on the M drive under the appropriate aid year file folder for SAP. 4. The Information Systems Specialist will update the Banner system in TEST. 5. The updates will be ran in TEST by running the ROPSAPR process for the future fall and future summer terms. 6. The TEST data will be reviewed and evaluated to ensure all policy updates have been captured and the students have been appropriately evaluated according to federal regulations. 7. The Information Systems Specialist will notify the Director of Financial Aid & Scholarships by email the status of the TEST system to determine if additional updates need to be made. 8. If the Director approves the data from the TEST system, they will notify the Information Systems Specialist by email that the updates are ready for production. Email documentation will be retained on the M drive under the appropriate aid year file folder for SAP. 9. Updates will be applied to the production system by the Information Systems Specialist and the ROPSAPR process will be run on all current students for evaluation. 10. The Information Systems Specialist will notify the Director of Financial Aid & Scholarships by email once the process is complete for one final review of the data to ensure all federal regulations are being met and the students have been evaluated accordingly. Email documentation will be retained on the M drive under the appropriate aid year file folder for SAP. 11. The Director of Financial Aid & Scholarships will sign off on the completed process by email to the Information Systems Specialist. Email documentation will be retained on the M drive under the appropriate aid year file folder for SAP. Marshall University (MU) response MU updated the website in February-March which included a review of SAP Policies and Procedures. MU did not update the Revision Date as there were no updates to Satisfactory Academic Progress federal regulations for the 2023-24 aid year. The policy did not change but was reviewed when updates were made to the website. This policy was updated and also added to the website. Effective February 2024, MU will document and retain all reviews and approvals for compliance with federal regulations. New River Community and Technical College (NRCTC) response NRCTC will continue to review policies and procedures at least once, and sometimes twice a year when the catalog is reviewed. NRCTC will continue doing this review and maintain documentation to ensure compliance with federal regulations. West Liberty University (WLU) response Effective January 2024, to comply with internal control over federal awards, WLU will ensure that SAP policies are compliant with the US DOE standards and retain evidence of the review before the SAP procedures are completed annually. If there are no changes, the policy will be approved to move forward. A signed sheet of the SAP policy approval will be retained in the office and an email of no updates will be sent to others in the Financial Aid Office. If changes are necessary, a financial aid committee would meet to make the appropriate updates. Once the policies and procedures are updated, a signed copy of the update will be retained in the FA Office and an email of the updates will be sent to the Financial Aid Office and communicated to all faculty, staff and students. West Virginia Northern Community College (WVNCC) response Effective December 2023, a new internal control process has been added to validate WVNCC’s processes (including SAP) with any changes to the Dept of Ed regulations, as available for the upcoming school year. WVNCC begins creating the new policy and procedure manual as the new year financial aid setup begins. The Director of Financial Aid will be creating a task force which meets two times per year to review the procedures. As WVNCC’s policy and procedure manual is a live working document, updates will be made as needed with a revision date denoted where applicable. WVNCC had an initial conversation with NASFAA on their policy and procedure information available and has created a sign off form to verify the review of the policy each academic year. This process is being implemented during the 2023-2024, prior to this year, as with the 2022-2023 documents, changes in regulations or college policy changes were made in the policy and procedure manual but may not have had a revision date as it done during the manual creation. This process will be fully implemented for the new 2024-2025 policy and procedure manual as it is being created. The new control will formalize this process, a review of applicable review is in process. West Virginia School of Osteopathic Medicine (WVSOM) response WVSOM did not have adequate internal controls in place surrounding the satisfactory academic policy (SAP) policy. A new SAP policy will be written and published to the public website to include reasonable standards for measuring whether eligible students are maintaining SAP in the educational program in our published SAP policy. The new policy will provide notification to the students of the results of an evaluation that impacts the students’ eligibility for title IV program funds. WVSOM will retain sufficient documentation that the procedures are performed and reviewed by the Financial Aid Director and a second review performed by the Associate Director of Financial Aid. The review will provide two signature sign-offs. West Virginia University at Parkersburg (WVU-P) response Financial Aid employees review all financial aid policies and procedures at minimum once per academic year. The Satisfactory Academic Progress (SAP) policy was reviewed and updated by financial aid staff throughout the spring and was approved by the Executive Vice President in June 2023, the updated SAP policy was forwarded to the President’s office to be filed and posted in the appropriate places, including online. WVU-P agrees that the updated and most recent SAP policy was not posted to the website prior to June 30, 2023. There was a college-wide policy review this spring, and the volume of that caused a delay in the policy’s posting. The resolution for this issue is to complete our policy review process earlier, and ensure if updates are necessary then the Marketing and Communications staff are aware of a deadline prior to June 30 to post the updated policy. WVU-P believes that there is sufficient documentation to show that the review of the SAP policy occurred within the academic year. The policies themselves have footnotes to document that Heather Skidmore reviewed the policies, and then the secondary review completed by Alice Harris before submission to the President. WVU-P will retain all communication that occurs related to future review processes to avoid a repeat finding on this issue.

SPECIAL TESTS AND PROVISIONS – NOTIFICATION OF CHANGES TO KEY PERSONNEL Division of Highways (the Division) Assistance Listing Number 20.933 Due to staff turnover, WVDOT recipient contact/key personnel had changed for some of the BUILD Transportation Discretionary Federal Grants. The USDOT representatives noted in the federal grants were not notified of these changes. The USDOT will be notified of all recent recipient contact/key personnel changes. Effective February 2024, when there are recipient changes, the USDOT will be notified within 30 days of the occurrence.

REPORTING Division of Highways (the Division) Assistance Listing Number 20.933 Effective January 2024, procedures have been put in place where pre-project performance management and quarterly progress reports on federal award projects will be compiled by WVDOT recipient/key personnel indicated in the BUILD Transportation Discretionary Federal Grants and submitted to USDOT by the 20th day after each calendar year quarter has closed as required by the grants. Prior reports that were not submitted to the USDOT as identified by the fiscal year 2023 audit will be sent.

REPORTING Workforce West Virginia (WWV) Assistance Listing Number 17.225 WWV updated reporting procedures in April 2023 and provided training to appropriate staff regarding the ETA 9050, 9052, and 9055 reports that did not have proper reviews documented prior to submission. That training is reflected in the reports selected after May 2023 that show proper documented reviews prior to submission.

INTERNAL CONTROLS OVER INFORMATION TECHNOLOGY Workforce West Virginia (WWV) Assistance Listing Number 17.225 WWV will create policies and procedures to be effective March 2024 which documents the process for periodic review of administrative access and user access for the ABPS and UI Tax systems. Appropriate staff will be trained once the policies and procedures are implemented. The wvOASIS SOC audit report for 2023 was completed in September 2023 and WVV is in the process of reviewing the report at this time. Disaster Recovery testing was conducted with WV Office of Technology and the mainframe vendor Ensono October 16-19, 2023.

SCHEDULE OF EXPENDITURES OF FEDERAL AWARDS Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective March 2024, DEP will develop and implement a standard operating procedure to track indirect costs. DEP will create a separate spreadsheet to track indirect costs to be included in the year ending SEFA reporting. DEP will attend training sessions conducted by the West Virginia Financial and Accounting Reporting Section to ensure all expenses are reported correctly on the SEFA. Additional training from accredited educational institutions will also be researched if necessary.

SUBRECIPIENT MONITORING Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective April 2024, DEP will prepare and implement a written risk assessment policy containing monitoring and compliance review standards. DEP will also prepare and implement written standard operating procedures to assist in measuring subrecipient risk.

REPORTING Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective March 2024, DEP will implement the following steps to correct the finding: 1. Review the Office of Surface Mining Federal Assistance Manual for information and instructions in regard to preparing the required financial reports for periodic and annual submissions. The information obtained from the Federal Assistance Manual will be compared to 2 CFR 200.328 and 329 to ensure all required information is included in the financial reports. 2. Review the Federal Notice of Grant Award documents to ensure that reporting period dates and the submitted reports reconcile and are in agreement. 3. Create and implement written narrative that agrees with the requirements set forth in the Federal Assistance Manual. 4. Develop and implement standard operating procedures to ensure timely, accurate reporting that involves a review and approval process prior to submission. 5. Create a checklist of required items, and signature lines to show that reviews/approvals have taken place.

TRANSPARENCY ACT REPORTING Department of Environmental Protection (DEP) Assistance Listing Number 15.252 Effective February 2024, DEP will implement the following steps to correct the finding: 1. Review 2 CFR 200.303 and the Federal Funding Accountability and Transparency Act (2 CFR 170) to determine the requirements and proper procedures in submitting FFATA reports in FSRS. 2. Evaluate the agency’s current standard operating procedure for submitting FFATA reports and identify deficiencies that address accuracy, accountability, and segregation of duties in approving and submitting reports. 3. Update the agency’s current standard operating procedures to better meet the requirements 2 CFR 200.303 and the Federal Funding Accountability and Transparency Act (2 CFR 170) and addresses proper segregation of duties in reviewing, approving, and submitting FFATA reports.

TRANSPARENCY ACT REPORTING West Virginia Community Development Block Grant Program (CDBG) Assistance Listing Number 14.228 The CDBG program has experienced turnover in staff during the last year. While CDBG knows the FFATA report was submitted, a physical copy of this report could not be provided, and it cannot be verified if it was submitted on time. In the FSRS system, only the person who creates the original report can view, edit, and pull the actual report, and since the employee who was responsible for submitting this report is no longer with the agency, it cannot be determined when it was originally submitted. CAD staff have since recreated the report in the FSRS system so there is a copy of the report. To ensure this doesn't happen in the future, CAD staff has completed FFATA training for the personnel involved in the reporting process. CAD staff is creating a calendar with due dates for the programs reporting requirements to ensure the dates are not missed. Once the report is submitted in the FSRS system, staff is required to save a copy of the report in shared files. CAD is also looking to implement a system where a centralized person is responsible for submitting the FSRS reports to ensure all processes are completed and documents saved correctly.

TRANSPARENCY ACT REPORTING Department of Education (DOE) Assistance Listing Number 10.553, 10.555, 10.556, 10.559, 10.582 Setting up a process to comply with the FFATA reporting requires retrieving information from multiple systems. In addition, child nutrition reimbursements are more complex than grants that have a known subrecipient amount. Due to the complexity, DOE is relying on guidance from the USDA to complete reporting procedures. DOE is currently waiting to get answers to several questions that are preventing full development of a process. USDA is also working to help DOE find another state agency that can help with unanswered questions. A FFATA reporting process is anticipated to be in place by July 1, 2024.

SPECIAL TESTS AND PROVISIONS – ADP SYSTEM FOR SNAP Department of Health and Human Resources (DHHR) Assistance Listing Number 10.551, 10.561, COVID-19 10.561 Management within the DHHR, Bureau for Family Assistance (BFA), appreciates and shares the auditors’ concern with SNAP program integrity as it relates to the Recipient Automated Payment and Information Data System (RAPIDS) ADP system. The BFA notes that 7 CFR § 272.10 begins with, “(1) Purpose. All state agencies are required to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information concerning SNAP. Sufficient automation levels are those which result in effective programs or in cost effective reductions in errors and improvements in management efficiency, such as decreases in program administrative costs...” Within the RAPIDS ecosystem for SNAP administration, this automation includes data matching measures undertaken, in compliance with related federal rules as specified in 7 CFR § 272.8, 7 CFR § 272.16, etc., to automate the validation of client-provided, worker-input information while mitigating the additional administrative burden of secondary review for all worker interactions with a client’s case. Policy regarding state and federal data matching is laid out in Chapter 6 of the State’s Income Maintenance Manual (IMM) at https://dhhr.wv.gov/bfa/policyplans/Documents/ Binder4.pdf. The primary data exchange system detailed in IMM Chapter 6 that is applicable to SNAP is the Income and Eligibility Verification System (IEVS) required by 7 CFR § 272.8. Systems mandated federally for inclusion in the IEVS include those operated by WorkForce WV, the Internal Revenue Service (IRS), and the U.S. Social Security Administration (SSA). A variety of other sources may also be queried for the purpose of validating client-provided information entered into RAPIDS by a worker, including Veterans Affairs (VA), Beneficiary and Earnings Data Exchange (BENDEX), Beneficiary Earnings and Exchange Record System (BEERS), National Directory of New Hires, and Prisoner Matching with the Department of Corrections as well as the Federal Data Services Hub (FDSH). IMM Chapter 6, page 2 describes the purpose of data matching through the IEVS thusly: Information obtained through IEVS is used for the following purposes: • To verify the eligibility of the assistance group (AG). • To verify the proper amount of benefits. • To determine if the AG received benefits to which it was not entitled. • To obtain information for use in criminal or civil prosecution based on receipt of benefits to which the AG was not entitled. IMM Chapter 6, pages 2-3 further detail the points at which a match with the IEVS must take place: A data exchange in the eligibility system occurs: • When a new case is created; • When a new person is added to a benefit; • When a person’s demographic information is changed; and, • On a periodic basis for all individuals in the eligibility system, depending on the type of benefit being received. Requirements for independent verification of information when automated data matches fail or report a discrepancy with client-provided, worker-input information are spelled out in IMM 6.4.4. The BFA believes that these automations, while perhaps not foolproof, are in keeping with both the word and intent of 7 CFR § 272.10, 7 CFR § 272.8, 7 CFR § 272.16, etc., which aim to automate processes in order to reduce administrative burden and associated costs, such as those that would be associated with a secondary review of all worker interactions with a client’s case. Furthermore, page 4-10.551-9 of the Compliance Supplement 2023, which lays out the suggested audit procedures for this topic, recommends the use of the USDA-FNS SNAP System Integrity Review Tool (SIRT) to ensure that the State’s ADP system is in alignment with USDA-FNS requirements and ensure that automated processes within RAPIDS continue to comport with federal requirements for ADP systems. To our knowledge, the auditors neither utilized that tool to guide their work nor requested verification from the State that the SIRT had been completed and previously employed. To support this response, management advocates a review of the SIRT submitted to FNS on October 26, 2023 in preparation for the go-live stage of the West Virginia People’s Access to Help (WV PATH) Family Assistance pilot program; as there is no significant difference in system functionality between the Family Assistance module of WV PATH and the existing eRAPIDS system, the responses/comments/replies from both FNS and the State that are included in this version of the SIRT generally apply both to eRAPIDS and to PATH. Throughout 2023, the BFA Division of Performance and Quality Improvement continued its ongoing SNAP case reviews, as well as its efforts to report compliance with monthly requirements for expanded supervisor case reviews conducted and tracked through the Rushmore case review system, as mandated in a December 7, 2022 memorandum to supervisors and made available to the auditors last year. Furthermore, the BFA developed additional worker training, including the reinstatement of face-to-face Statewide Payment Accuracy Conferences (held throughout the summer of 2023), with the aim to ensure that client information is accurately captured in RAPIDS so the APD can perform its automated functions with integrity.

DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS Department of Health and Human Resources (DHHR) Assistance Listing Number 10.551, 10.561, COVID-19 10.561, 93.558, COVID-19 93.558, 93.568, COVID-19 93.568, 93.575, 93.596, COVID-19 93.575, 93.658, 93.659, 93.767, 93.775, 93.777, COVID-19 93.777, 93.778 The DHHR is currently phasing in a new information technology system for determining eligibility, making payments, maintaining documentation, etc. The name of the new system is WVPATH (West Virginia People's Access to Help). The WVPATH system will replace the Family and Children's Tracking System (FACTS) and the Recipient Automated Payment Information Data System (RAPIDS), which are currently referenced in the finding. The WVPATH system will have additional controls and levels of review as compared with the FACTS and RAPIDS systems. Due to the timing of the phase-in process, the DHHR anticipates the finding will be resolved for the year ended June 30, 2024.

Finding 2023-001: Special Test and Provisions: Enrollment Reporting Context/Condition: Of the 40 students selected for enrollment reporting testing, 6 students within the sample were reported to NSLDS outside the maximum 60-day window. Recommendation: The auditor recommended that the University review and update internal controls to ensure student enrollment status in the National Student Loan Data System (NSLDS) is updated in a timely manner to ensure compliance with Federal Requirements. Persons Responsible for Corrective Action: Liz Force, University Registrar & Director of Records; Pam Barrett, Associate Vice President & Director of Financial Aid Planned Corrective Action: Brenau University contracts with the National Student Clearinghouse (NSC) to perform routine enrollment reporting required by Title IV Federal Student Aid regulations. The University's student information system contains a program designed to compile enrollment data for transmission to NSC in accordance with specifications provided by the National Student Loan Data System (NSLDS). We conducted a detailed review of the November 2022 NSLDS Reporting Guide and engaged the University's student information system vendor, who reviewed the current software logic and installed the modifications necessary to become compliant in this area. Anticipated Completion Date: November 7, 2023

FINDING 2023-007 Subject: COVID-19 – Education Stabilization Fund – Special Tests and Provisions – Wage Rate Requirements Summary of Finding: The School Corporation had not properly designed or implemented an effective system of internal controls to prevent, or detect and correct, noncompliance. Recommendation We recommended that management of the School Corporation design and implement a proper system of internal control, including policies and procedures that would provide segregation of duties to ensure appropriate reviews, approvals and oversight are taking place. Contact Person Responsible for Corrective Action: Casey Howard Contact Phone Number: 574-842-3364 x806 Views of the Responsible Officials: We concur with the finding. Description of Corrective Action Plan: The corporation will create and implement an effective system to prevent, or detect and correct, noncompliance. We will create an oversight or review process to obtain the required certified payrolls. Anticipated Completion Date: Completed as of January 2024

FINDING 2023-006 Subject: COVID-19 – Education Stabilization Fund – Reporting Summary of Finding: The School Corporation did not submit annual reports in a timely manner during the first year of the audit period. Reimbursement requests included invoices which had been reimbursed previously and some request did not agree with supporting documentation. Recommendation We recommended that management of the School Corporation establish a proper system of internal controls and develop policies and procedures to ensure reports are submitted timely and supporting documentation is used and retained for reimbursement requests. Contact Person Responsible for Corrective Action: Casey Howard Contact Phone Number: 574-842-3364 x806 Views of the Responsible Officials: We concur with the finding. Description of Corrective Action Plan: Reporting – The Treasurer and Deputy Treasurer will review and approve all grant reporting with Komputrol reports and grant approval. All deadlines will be submitted prior to due dates. The Superintendent, Treasurer, Deputy-Treasurer and/or Grant Writer will review all grant reimbursement requests prior to submission for accuracy. Anticipated Completion Date: Completed March 2023 – February 2024 INDIANA STATE

FINDING 2023-005 Subject: COVID-19 – Education Stabilization Fund – Equipment Summary of Finding: The School Corporation utilized Education Stabilization Funds to pay for equipment. The equipment was not included in the capital asset records. The capital asset listing provided did not identify which assets were purchased with federal dollars. Recommendation: We recommended that management of the School Corporation establish a proper system of internal controls and develop policies and procedures to ensure asset records include all the necessary information and new assets are added. Contact Person Responsible for Corrective Action: Casey Howard Contact Phone Number: 574-842-3364 x806 Views of the Responsible Officials: We concur with the finding. Description of Corrective Action Plan: Our corporation has a company that updates our fixed assets every two years. Between the two years our Deputy-Treasurer with the assistance of the Treasurer will work in an excel document to track all additions/deletions, identification, location, etc. All assets regarding equipment will be identified if purchased with federal grant funds. Anticipated Completion Date: February 2024

FINDING 2023-004 Subject: COVID-19 – Education Stabilization Fund – Earmarking Summary of Finding: Only 9% of the required 20% minimum earmarking requirement was spent. The remaining set aside amount that was requested for reimbursement was spent on activities that were not a part of the earmarking requirement. Recommendation We recommended that management of the School Corporation establish a proper system of internal controls and develop policies and procedures to ensure required earmarking requirements are met. Contact Person Responsible for Corrective Action: Casey Howard Contact Phone Number: 574-842-3364 x806 Views of the Responsible Officials: We concur with the finding. Description of Corrective Action Plan: The Superintendent, Treasurer, Deputy-Treasurer and/or Grant Writer will review all grant reimbursements prior to submission for all earmarking. Earmarking will be reviewed for implementation of evidence-based learning loss and accelerated learning. A grant amendment has been requested in January 2024 to include additional allowable expenses. Anticipated Completion Date: February 2024

FINDING 2023-003 Subject: COVID-19 – Education Stabilization Fund –Allowable Costs/Cost Principles Summary of Finding: Condition and Context The American Rescue Plan – Elementary and Secondary School Emergency Relief (ARP ESSER) Fund provided funding to States and school districts to help safely reopen and sustain the safe operation of schools and to address the impact of the coronavirus pandemic on the nation’s students. States were required to subgrant a portion of their ARP ESSER allocation to local educational agencies (LEA). Prior to LEAs receiving their respective subgrants, LEAs were required to complete an application for ARP ESSER funding, which was submitted to the Indiana Department of Education (IDOE), the pass-through entity for approval. The application included a district level budget identifying how the LEA intended to spend program funds. Per the School Corporation’s approved application, program funding was budgeted for salaries and respective benefits for Director of Student Support, Title I Aide, Career Coach, Summer School Positions, and a Social Emotional Academic Learning Liaison, as well as for equipment as classified under the facilities acquisition and construction expenditure account. The School Corporation noted on their application that the funds budgeted for equipment were strictly for the costs of the equipment and did not include any costs for labor. A sample of 31 claims charged to the ARP ESSER program for which reimbursement was received during the audit period was selected for testing to verify the expenditures were in conformance with the applicable cost principles. Of the 31 claims tested, four claims totaling $693,454, each of which were paid to the same contractor, included costs for labor and project management related to air handling units in multiple buildings. Due to the magnitude of the exceptions identified, all remaining payments made to this contractor for which the School Corporation received reimbursement during the audit period were abstracted and reviewed. Upon review of these claims, additional labor and project management costs of $306,745 were identified. The aggregate total of $1,000,199 expended for labor and project management costs are considered questioned costs as they were not approved by IDOE prior to being expended as required by the terms and conditions of the federal award. In addition, the School Corporation submitted twice to IDOE, four different invoices for expenditures related to the ARP ESSER program. As a result, the School Corporation received duplicate reimbursements for the expenditures on each of the four invoices, resulting in the School Corporation receiving $50,000 more than their approved allocation of ARP ESSER funding. The management of the School was aware of this error; however, did not contact IDOE to resolve the issue, nor did they return the funds to the State. Lastly, the School Corporation submitted to IDOE a request for reimbursement for expenditures totaling $12,113 for the Governor Emergency Education Relief Fund (GEER) program. The School Corporation received the reimbursement of $12,113 twice from IDOE. This resulted in the School Corporation receiving an extra $12,113 of GEER funding that they should not have received. The management of the INDIANA STATE BOARD OF ACCOUNTS 38 Culver Community Schools Corporation Karen Shuman, Superintendent www.culver.k12.in.us 700 School Street Aubbeenaubbee Township – Fulton County Culver, IN 46511-0231 North Bend Township – Starke County Phone (574) 842-3364 Tippecanoe Township – Pulaski County Fax (574) 842-4615 Union Township – Marshall County _________________________________________________________________ School was aware of this duplicate payment received from IDOE; however, did not contact IDOE to resolve the issue, nor did they return the funds to the State. Recommendation We recommended that management of the School Corporation establish a proper system of internal controls and develop policies and procedures to ensure costs are included in the approved budget, are only requested once, and are not retained if received in error. Contact Person Responsible for Corrective Action: Casey Howard Contact Phone Number: 574-842-3364 x806 Views of the Responsible Officials: We concur with the finding. Description of Corrective Action Plan: The Superintendent, Treasurer, Deputy-Treasurer and/or Grant writer will review all grant applications prior to submission. Upon grant approval the same parties will again review approval and review dollar amounts, allowable expenses, etc. The Superintendent, Treasurer, Deputy-Treasurer and/or Grant Writer will review all grant reimbursements and monitor/finance reports prior to submission. A grant amendment has been requested in January 2024 to include additional allowable expenses. Anticipated Completion Date: February 2024 INDIANA STATE

FINDING 2023-002 Subject: Child Nutrition Cluster – Suspension and Debarment Summary of Finding: The School Corporation did not verify vendor suspension and debarment status prior to payment. Recommendation We recommended that management of the School Corporation establish a system of internal and develop policies and procedures to ensure contractors and subrecipients, as appropriate are not suspended, debarred, or otherwise excluded prior to entering into any contracts or subawards. Contact Person Responsible for Corrective Action: Casey Howard Contact Phone Number: 574-842-3364 x806 Views of the Responsible Officials: We concur with the finding. Description of Corrective Action Plan: Food Service Director and/or Treasurer will utilize the procurement policy and will ensure all vendors paid with federal dollars have not been suspended or debarred. Anticipated Completion Date: Completed as of January 2024

FINDING 2023-003 Finding Subject: Subject: Child Nutrition Cluster - Procurement Summary of Finding: An adequate number of quotes were not obtained for small purchases. Contact Person Responsible for Corrective Action: Kellie Romer (Corporation Treasurer/Finance Director), Shelley Gardner (Corporation School Food Authority) Contact Phone Number and Email Address: 765-653-9771 Ext. 1010, kromer@greencastle.k12.in.us, 765-653-9771 Ext. 1011, sgardner@greencastle.k12.in.us Views of Responsible Officials: We concur with the finding Description of Corrective Action Plan: The procurement (small and micro purchases) will be verified by a two-person internal control; the food services director and food services assistant, finance director or deputy treasurer. We will also establish a process to address small and micro purchases. This would include acquiring bids for any combined expenditure(s) over a $150,000, acquiring quotes for any small purchase(s) between $10,000 and $150,000, and documenting equitable distribution among vendors concerning any micro purchases under $10,000. All vendor contracts will be approved yearly. All quotes and purchases will be verified by two-person internal control. Anticipated Completion Date: Immediately 2/8/2024

FINDING 2023-002 Finding Subject: Subject: COVID-19 - Education Stabilization Fund - Reporting Summary of Finding: Reports submitted were not substantiated by the ledgers. Contact Person Responsible for Corrective Action: Kellie Romer (Corporation Treasurer/Finance Director) Contact Phone Number and Email Address: 765-653-9771 Ext. 1010, kromer@greencastle.k12.in.us Views of Responsible Officials: We concur with the finding Description of Corrective Action Plan: The school corporation will establish a proper system for internal controls and develop procedures to ensure reports are supported by the financial records. Anticipated Completion Date: Immediately 2/8/2024