Baker Tilly US, LLP

777 E Wisconsin Ave, 32nd Fl Milwaukee, WI 53202-5313

T: +1 (414) 777 5500

F: +1 (414) 777 5555

Baker Tilly US, LLP trading as Baker Tilly is a member of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. © 2018 Baker Tilly US, LLP

 

July 25, 2021 

Dear Mr. McCrea:
Thank you for using Baker Tilly US, LLP ("Baker Tilly" or "we" or "our") as your auditors.

The purpose of this letter (the "Engagement Letter") is to confirm our understanding of the terms and objectives of our engagement and the nature of the services we will provide as independent accountants of the Rock University High School, a component unit of the School District of Janesville ("you" or "your").

Service and Related Report

We will audit the basic financial statements of the Rock University High School as of and for the year ended June 30, 2021, and the related notes to the financial statements. Upon completion of our audit, we will provide the Rock University High School with our audit report on the financial statements referred to below. If, for any reasons caused by or relating to the affairs or management of the Rock University High School, we are unable to complete the audit or are unable to or have not formed an opinion, or if we determine in our professional judgment the circumstances necessitate, we may withdraw and decline to issue a report as a result of this engagement.

In order to perform the professional services outlined in this Engagement Letter, Baker Tilly US, LLP requires access to information subject to Title II of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Federal law requires Baker Tilly US, LLP to execute a Business Associate Agreement ("BA Agreement") prior to being granted this information. For your convenience, we have attached our firm standard BA Agreement for your review and signature as Addendum A. Please execute and return a copy with this Engagement Letter, keeping the original BA Agreement on file with your HIPAA compliance records.

Our Responsibilities and Limitations

The objective of a financial statement audit is the expression of an opinion on the financial statements. The objective also includes reporting on:

• Internal control related to the financial statements and compliance with laws, regulations, and the provisions of contracts or grant agreements, noncompliance with which could have a direct and material effect on the financial statements in accordance with Government Auditing Standards.
• Internal control related to major federal and state programs and an opinion (or disclaimer of opinion) on compliance with laws, regulations, and the provisions of contracts or grant agreements that could have a direct and material effect on each major program in accordance with the Single Audit Act Amendments of 1996 and 0MB Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards ("Uniform Guidance") and the State Single Audit Guidelines.

The Government Auditing Standards report on internal control over financial reporting and on compliance and other matters will include a paragraph that states (i) that the purpose of the report is solely to describe the scope of testing of internal control and compliance, and the results of that testing, and not to provide an opinion on the effectiveness of the entity's internal control or on compliance, and (ii) that the report is an integral part of an audit performed in accordance with Government Auditing Standards in considering the entity's internal control and compliance. The Uniform Guidance report on internal control over compliance will include a paragraph that states that the purpose of the report on internal control over compliance is solely to describe the scope of testing of internal control over compliance and the results of that testing based on the requirements of the Uniform Guidance. Both reports will state that the report is not suitable for any other purpose.

We will be responsible for performing the audit in accordance with auditing standards generally accepted in the United States of America ("GMS"); the standards for financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; the Single Audit Act Amendments of 1996; the Uniform Guidance and the State Single Audit Guidelines, and will include tests of accounting records, a determination of major program(s) in accordance with the Uniform Guidance and the State Single Audit Guidelines, and other procedures we consider necessary to enable us to express such opinions and to render the required reports.

These standards require that we plan and perform our audit to obtain reasonable, rather than absolute, assurance about whether the financial statements are free of material misstatement, whether from (i) errors, (ii) fraudulent financial reporting, (iii) misappropriation of assets, or (iv) violations of laws or governmental regulations that are attributable to the Rock University High School or to acts by management or employees acting on behalf of the Rock University High School. Because the determination of abuse is subjective, Government Auditing Standards do not expect auditors to provide reasonable assurance of detecting abuse.

Our audit will include examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessing accounting principles used and significant estimates made by management, and evaluating the overall financial statement presentation. Our audit does not relieve management and the audit committee or equivalent group charged with governance of their responsibilities.

The audit will include obtaining an understanding of the Rock University High School and its environment, including internal controls, sufficient to assess the risks of material misstatement of the financial statements and to determine the nature, timing and extent offurther audit procedures. An audit is not designed to provide assurance on internal control or to identify deficiencies in internal control. However, during the audit, we will communicate to management and the audit committee or equivalent group charged with governance internal control matters that are required to be communicated under professional standards. We will also inform you of any other matters involving internal control, if any, as required by Government Auditing Standards, the Uniform Guidance and the State Single Audit Guidelines.

 As required by the Uniform Guidance and the State Single Audit Guidelines, we will perform tests of controls over compliance to evaluate the effectiveness of the design and operation of controls that we consider relevant to preventing or detecting material noncompliance with compliance requirements applicable to each major federal and major state award program. However, our tests will be less in scope than would be necessary to render an opinion on those controls and, accordingly, no opinion will be expressed in our report on internal control over compliance issued pursuant to the Uniform Guidance and the State Single Audit Guidelines.

We will design our audit to obtain reasonable, but not absolute, assurance of detecting misstatements due to errors or fraud that would have a material effect on the financial statements as well as other illegal acts having a direct and material effect on financial statement amounts. An audit is not designed to detect error or fraud that is immaterial to the financial statements. Our audit will not include a detailed audit of transactions, such as would be necessary to disclose errors or fraud that did not cause a material misstatement of the financial statements. II is important to recognize that there are inherent limitations in the auditing process. Audits are based on the concept of selective testing of the data underlying the financial statements, which involves judgment regarding the areas to be tested and the nature, timing, extent and results of the tests to be performed. Our audit is not a guarantee of the accuracy of the financial statements and, therefore, is subject to the limitation that material errors or fraud or other illegal acts having a direct and material financial statement impact or a direct and material effect on major federal and state programs, if they exist, may not be detected.

Because of the characteristics of fraud, particularly those involving concealment through collusion, falsified documentation and management's ability to override controls, an audit designed and executed in accordance with GAAS and Government Auditing Standards, may not detect a material fraud. Further, while effective internal control reduces the likelihood that errors, fraud or other illegal acts will occur and remain undetected, it does not eliminate that possibility. For these reasons, we cannot ensure that errors, fraud or other illegal acts or noncompliance, if present, will be detected. However, we will communicate to you, as appropriate, any such matters that we identify during our audit. Also, if required by Government Auditing Standards, we will report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside of the Rock University High School.

As part of obtaining reasonable assurance about whether the financial statements are free of material misstatement, we will perform tests of the Rock University High School's compliance with the provisions of applicable laws, regulations, contracts, and agreements, including grant agreements. However, the objective of those procedures will not be to provide an opinion on overall compliance and we will not express such an opinion in our report on compliance issued pursuant to Government Auditing Standards.

 The Uniform Guidance and the State Single Audit Guidelines require that we also plan and perform the audit to obtain reasonable assurance about whether you have complied with applicable laws and regulations and the provisions of contracts and grant agreements applicable to major programs. Our procedures will consist of test of transactions and other applicable procedures described in the 0MB Compliance Supplement and the State Single Audit Guidelines for the types of compliance requirements that could have a direct and material effect on each of the Rock University High School's major programs. The purpose of those procedures will be to express an opinion on your compliance with requirements applicable to each of your major programs in our report on compliance issued pursuant to the Uniform Guidance and the State Single Audit Guidelines.

 We are also responsible for determining that the audit committee or equivalent group charged with governance is informed about certain other matters related to the conduct of the audit, including (i) our responsibility under GAAS, (ii) an overview of the planned scope and timing of the audit, and (iii) significant findings from the audit, which include (a) our views about the qualitative aspects of your significant accounting practices, accounting estimates, and financial statement disclosures; (b) difficulties encountered in performing the audit; (c) uncorrected misstatements and material corrected misstatements that were brought to the attention of management as a result of auditing procedures; and (d) other significant and relevant findings or issues (e.g., any disagreements with management about matters that could be significant to your financial statements or our report thereon, consultations with other independent accountants, issues discussed prior to our retention as independent auditors, fraud and illegal acts, and all significant deficiencies and material weaknesses identified during the audit). Lastly, we are responsible for ensuring that the audit committee or equivalent group charged with governance receives copies of certain written communications between us and management including written communications on accounting, auditing, internal controls or operational matters and representations that we are requesting from management.

The audit will not be planned or conducted in contemplation of reliance of any specific third party or with respect to any specific transaction. Therefore, items of possible interest to a third party will not be specifically addressed and matters may exist that would be addressed differently by a third party, possibly in connection with a specific transaction.

Management's Responsibilities

The Rock University High School's management is responsible for the financial statements referred to above. Management is also responsible for identifying government award programs and understanding and complying with the compliance requirements, and for preparation of the schedule of expenditures of federal and state awards (including notes and noncash assistance received) in accordance with the requirements of the Uniform Guidance and the State Single Audit Guidelines. In this regard, management is responsible for establishing policies and procedures that pertain to the maintenance of adequate accounting records and effective internal controls, including internal controls over compliance, and for evaluating and monitoring ongoing activities; to help ensure that appropriate goals and objectives are met; following laws and regulations; and ensuring that there is reasonable assurance that government programs are administered in compliance with applicable requirements; and ensuring that management is reliable and financial information is reliable and properly reported. Management is also responsible for implementing systems designed to achieve compliance with applicable laws, regulations, contracts, and grant agreements. Your responsibilities also include identifying significant vendor relationships in which the vendor has responsibility for program compliance and for the accuracy and completeness of that information. You are also responsible for the selection and application of accounting principles, the authorization of receipts and disbursements, the safeguarding of assets, the proper recording of transactions in the accounting records, for reporting financial information in conformity with accounting principles generally accepted in the United States of America ("GMP"), and for compliance with applicable laws and regulations and the provisions of contracts and grant agreements.

Management is also responsible for the design and implementation of programs and controls to prevent and detect fraud, and for informing us in the management representation letter (I) about all known or suspected fraud affecting the Rock University High School involving: (a) management, (b) employees who have significant roles in internal control over financial reporting, and (c) others where the fraud or illegal acts could have a material effect on the financial statements; and (ii) of its knowledge of any allegations of fraud or suspected fraud affecting the Rock University High School received in communications from employees, former employees, analysts, granlors, regulators, or others. In addition, you are responsible for identifying and ensuring that the entity complies with applicable laws, regulations, contracts, agreements, and grants and for taking timely and appropriate steps lo remedy fraud and noncompliance with provisions of laws, regulations, contracts or grant agreements, or abuse that we report. Additionally, as required by the Uniform Guidance and the State Single Audit Guidelines, it is management's responsibility to follow up and take corrective action on reported audit findings and to prepare a summary schedule of prior audit findings and a corrective action plan. The summary schedule of prior audit findings should be available for our review before we begin fieldwork.

Management is responsible for establishing and maintaining a process for tracking the status of audit findings and recommendations. Management is also responsible for identifying for us previous financial audits, attestation engagements, performance audits or other studies related to the objectives discussed above. This responsibility includes relaying to us corrective actions taken to address significant findings and recommendations resulting from those audits, attestation engagements, performance audits or studies. You are also responsible for providing management's views on our current findings, conclusions, and recommendations, as well as your planned corrective actions for the report, and for the timing and format for providing that information.

Management is responsible for (i) adjusting the basic financial statements to correct material misstatements and for affirming to us in a management representation letter that the effects of any uncorrected misstatements aggregated by us during the current engagement and pertaining to the latest period under audit are immaterial, both individually and in the aggregate, to the basic financial statements taken as a whole, and (ii) notifying us of all material weaknesses, including other significant deficiencies, in the design or operation of your internal control over financial reporting that are reasonably likely to adversely affect your ability to record, process, summarize and report external financial data reliably in accordance with GMP. Management is also responsible for identifying and ensuring that the Rock University High School complies with the laws and regulations applicable to its activities.

As part of management's responsibility for the financial statements and the effectiveness of its system of internal control over financial reporting, management is responsible for making available to us, on a timely basis, all of your original accounting records and related information and for the completeness and accuracy of that information and your personnel to whom we may direct inquiries. As required by GAAS, we will make specific inquiries of management and others about the representations embodied in the financial statements and the effectiveness of internal control over financial reporting. GAAS also requires that we obtain written representations covering audited schedule of expenditures of federal and state awards, federal and state award programs, and compliance with laws, regulations, contracts and grant agreements from certain members of management. The results of our audit tests, the responses to our inquiries, and the written representations, comprise the evidential matter we intend to rely upon in forming our opinion on the financial statements.

Baker Tilly US, LLP is not a municipal advisor as defined in Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act or under Section 158 of the Securities Exchange Act of 1934 (the "Act"). Baker Tilly US, LLP is not recommending an action to the Rock University High School; is not acting as an advisor to you and does not owe a fiduciary duty pursuant to Section 158 of the Act to you with respect to the information and material contained in the deliverables issued under this engagement. Any municipal advisory services would only be performed by Baker Tilly Municipal Advisors LLC ("BTMA") pursuant to a separate engagement letter between you and BTMA. You should discuss any information and material contained in the deliverables with any and all internal and external advisors and experts that you deem appropriate before acting on this information or material.

Nonattest Services

Prior to or as part of our audit engagement, it may be necessary for us to perform certain nonattest services. For purposes of this letter, nonattest services include services that Government Auditing Standards refers to as nonaudit services.

Nonattest services that we will be providing are as follows:

• Financial statement preparation
• Adjusting journal entries
• Schedule of federal and state awards preparation

None of these nonattest services constitute an audit under generally accepted auditing standards including Government Auditing Standards.

We will not perform any management functions or make management decisions on your behalf with respect to any nonattest services we provide.

In connection with our performance of any nonattest services, you agree that you will:

• Continue to make all management decisions and perform all management functions, including approving all journal entries and general ledger classifications when they are submitted to you.
• Designate an employee with suitable skill, knowledge, and/or experience, preferably within senior management, to oversee the services we perform.
• Evaluate the adequacy and results of the nonattest services we perform.
•  Accept responsibility for the results of our nonattest services.
• Establish and maintain internal controls, including monitoring ongoing activities related to the nonattest function.

On a periodic basis, as needed, we will meet with you to discuss your accounting records and the management implications of your financial statements. We will notify you, in writing, of any matters that we believe you should be aware of and will meet with you upon request.

Other Documents

 If you intend to reproduce or publish the financial statements in an annual report or other information (excluding official statements), and make reference to our firm name in connection therewith, you agree to publish the financial statements in their entirety. In addition, you agree to provide us, for our approval and consent, proofs before printing and final materials before distribution.

The Rock University High School may wish to include our report on these financial statements in an official statement or some other securities offering. You agree that the aforementioned audit report or reference to Baker Tilly US, LLP will not be included in such offering without our prior written permission or consent. Upon notification, auditing standards will require our involvement with the official statement, and any procedures related to this involvement will be a separate agreement.

With regard to the electronic dissemination of audited financial statements, including financial statements published electronically on your Internet website, you understand that electronic sites are a means to distribute information and, therefore, we are not required to read the information contained in these sites or to consider the consistency of other information in the electronic site with the original document.

At the conclusion of our engagement, we will complete the appropriate auditor sections of the Data Collection Form that summarizes our audit findings. It is management's responsibility to complete the auditee sections and to submit the reporting package (including financial statements, schedule of expenditures of federal and state awards, summary schedule of prior year audit findings, auditors' reports, and corrective action plan) along with the Data Collection Form to the federal audit clearinghouse. We will coordinate with you the electronic submission and certification. If applicable, we will provide copies of our report for you to include within the reporting package you will submit to pass-through entities. The Data Collection Form and the reporting package must be submitted within the earlier of thirty (30) days after receipt of the auditors' reports or nine (9) months after the end of the audit period.

We will provide copies of our reports to the Rock University High School, however, management is responsible for distribution of the reports and the financial statements. Copies of our reports are to be made available for public inspection unless restricted by law or regulation or if they contain privileged and confidential information.

The documentation for this engagement, including the workpapers, is the property of Baker Tilly US, LLP and constitutes confidential information. However, pursuant to authority given by law or regulation, we may be requested to make certain audit documentation available to federal or state agencies for purposes of a quality review of the audit, to resolve audit findings, or to carry out oversight responsibilities. We will notify you of any such request. If requested, access to such audit documentation will be provided under the supervision of Baker Tilly US, LLP personnel. Furthermore, upon request, we may provide copies of selected audit documentation to the aforementioned parties. These parties may intend, or decide, to distribute the copies or information contained therein to others, including other governmental agencies.

We may have a responsibility to retain the documentation for a period of time sufficient to satisfy any applicable legal or regulatory requirements for records retention. If we are required by law, regulation or professional standards to make certain documentation available to regulators, the Rock University High School hereby authorizes us to do so.

Government Auditing Standards require that we provide you with a copy of our most recent external peer review report and any subsequent peer review reports received during the period of the contract. Our most recent peer review report accompanies this letter.

Timing and Fees

Completion of our work is subject to, among other things, (i) appropriate cooperation from the Rock University High School's personnel, including timely preparation of necessary schedules, (ii) timely responses to our inquiries, and (iii) timely communication of all significant accounting and financial reporting matters. When and if for any reason the Rock University High School is unable to provide such schedules, information, and assistance, Baker Tilly US, LLP and you will mutually revise the fee to reflect additional services, if any, required of us to complete the audit. Delays in the issuance of our audit report beyond the date that was originally contemplated may require us to perform additional auditing procedures which will likely result in additional fees.

Revisions to the scope of our work will be communicated to you and may be set forth in the form of an "Amendment to Existing Engagement Letter." In addition, if we discover compliance issues that require us to perform additional procedures and/or provide assistance with these matters, fees at our standard hourly rates apply.

The fee for the audit for the year ended June 30, 2021, will be 1lled per hour as incurred at our standard hourly rates of the individual performing the work. Invoices for these will be read each month as work progresses and are payable on presentation. A charge of 1.5 percent per month shall be imposed on accounts not paid within thirty (30) days of receipt of our statement for services provided. In accordance with our firm policies, work may be suspended if your account becomes thirty (30) days or more overdue and will not be resumed until your account is paid in full. If we elect to terminate our services for nonpayment, our engagement will be deemed to have been completed upon written notice of termination, even if we have not completed our report. You will be obligated to compensate us for all time expended and to reimburse us for all out-of-pocket expenditures through the date of termination.

In addition to our professional fees, out-of-pocket expenses for direct engagement support including travel and/ subsistence, production of reports, and other direct engagement expenses will be billed separately at our cost and stated separately on our invoices.

We may use temporary contract staff to perform certain tasks on your engagement and will bill for that time at the rate that corresponds to Baker Tilly US, LLP staff providing a similar level of service. Upon request, we will be happy to provide details on training, supervision, and billing arrangements we use in connection with these professionals.

Additionally, we may from time to time, and depending on the circumstances, use service providers (e.g., to act as a specialist or audit an element of the financial statements) in serving your account. We may share confidential information about you with these service providers, but are committed to maintaining the confidentiality and security of your information.

Any additional services that may be requested, and we agree to provide, may be the subject of a separate engagement letter.

We may be required to disclose confidential information to federal, state and international regulatory bodies or a court in criminal or other civil litigation. In the event that we receive a request from a third party (including a subpoena, summons or discovery demand in litigation) calling for the production of information, we will promptly notify the Rock University High School, unless otherwise prohibited. In the event we are requested by the Rock University High School or required by government regulation, subpoena or other legal process to produce our engagement working papers or our personnel as witnesses with respect to services rendered to the Rock University High School, so long as we are not a party to the proceeding in which the information is sought, we may seek reimbursement for our professional time and expenses, as well as the fees and legal expenses, incurred in responding to such a request

Our fees are based on known circumstances at the time of this Engagement Letter. Should circumstances change significantly during the course of this engagement, we will discuss with you the need for any revised audit fees. This can result from changes at the Rock University High School, such as the turnover of key accounting staff, the addition of new funds or significant federal or state programs or changes that affect the amount of audit effort from external sources, such as new accounting and auditing standards that become effective that increase the scope of our audit procedures. This Engagement Letter currently includes all auditing and accounting standards and the current single audit guidance in effect as of the date of this letter.

We would expect to continue to perform our services under the arrangements discussed above from year to year, unless for some reason you or we find that some change is necessary. We will, of course, be happy to provide the Rock University High School with any other services you may find necessary or desirable.

Resolution of Disagreements

 In the unlikely event that differences concerning services or fees should arise that are not resolved by mutual agreement, both parties agree to attempt in good faith to settle the dispute by mediation administered by the American Arbitration Association ("AAA") under its mediation rules for professional accounting and related services disputes before resorting to litigation or any other dispute-resolution procedure. Each party shall bear their own expenses from mediation.

If mediation does not settle the dispute or claim, then the parties agree that the dispute or claim shall be settled by binding arbitration. The arbitration proceeding shall take place in the city in which the Baker Tilly US, LLP office providing the relevant services is located, unless the parties mutually agree to a different location. The proceeding shall be governed by the provisions of the Federal Arbitration Act ("FAA") and will proceed in accordance with the then current Arbitration Rules for Professional Accounting and Related Disputes of the AAA, except that no pre hearing discovery shall be permitted unless specifically authorized by the arbitrator.

The arbitrator will be selected from AAA, Judicial Arbitration & Mediation Services ("JAMS"), the Center for Public Resources or any other internationally or nationally recognized organization mutually agreed upon by the parties. Potential arbitrator names will be exchanged within fifteen (15) days of the parties' agreement to settle the dispute or claim by binding arbitration, and arbitration will thereafter proceed expeditiously. The arbitration will be conducted before a single arbitrator, experienced in accounting and auditing matters. The arbitrator shall have no authority to award non monetary or equitable relief and will not have the right to award punitive damages. The award of the arbitration shall be in writing and shall be accompanied by a well reasoned opinion. The award issued by the arbitrator may be confirmed in a judgment by any federal or state court of competent jurisdiction. Each party shall be responsible for their own costs associated with the arbitration, except that the costs of the arbitrator shall be equally divided by the parties. The arbitration proceeding and all information disclosed during the arbitration shall be maintained as confidential, except as may be required for disclosure to professional or regulatory bodies or in a related confidential arbitration. In no event shall a demand for arbitration be made after the date when institution of legal or equitable proceedings based on such claim would be barred under the applicable statute of limitations.

Our services shall be evaluated solely on our substantial conformance with the terms expressly set forth herein, including all applicable professional standards. Any claim of nonconformance must be clearly and convincingly shown.

Limitation on Damages and Indemnification

The liability (including attorney's fees and all other costs) of Baker Tilly US, LLP and its present or former partners, principals, agents or employees related to any claim for damages relating to the services performed under this Engagement Letter shall not exceed the fees paid to Baker Tilly US, LLP for the portion of the work to which the claim relates, except to the extent finally determined to have resulted from the willful misconduct or fraudulent behavior of Baker Tilly US, LLP relating to such services. This limitation of liability is intended to apply to the full extent allowed by law, regardless of the grounds or nature of any claim asserted, including the negligence of either party. Additionally, in no event shall either party be liable for any lost profits, lost business opportunity, lost data, consequential, special, incidental, exemplary or punitive damages, delays or interruptions arising out of or related to this Engagement Letter even if the other party has been advised of the possibility of such damages.

As Baker Tilly US, LLP is performing the services solely for your benefit, you will indemnify Baker Tilly US, LLP, its subsidiaries and their present or former partners, principals, employees, officers and agents against all costs, fees, expenses, damages and liabilities (including attorney's fees and all defense costs) associated with any third-party claim, relating to or arising as a result of the services, or this Engagement Letter.

Because of the importance of the information that you provide to Baker Tilly US, LLP with respect to Baker Tilly's ability to perform the services, you hereby release Baker Tilly US, LLP and its present and former partners, principals, agents and employees from any liability, damages, fees, expenses and costs, including attorney's fees, relating to the services, that arise from or relate to any information, including representations by management, provided by you, its personnel or agents, that is not complete, accurate or current.

Each party recognizes and agrees that the warranty disclaimers and liability and remedy limitations in this Engagement Letter are material bargained for bases of this Engagement Letter and that they have been taken into account and reflected in determining the consideration to be given by each party under this Engagement Letter and in the decision by each party to enter into this Engagement Letter.

The terms of this section shall apply regardless of the nature of any claim asserted (including, but not limited to, contract, tort or any form of negligence, whether of you, Baker Tilly US, LLP or others), but these terms shall not apply to the extent finally determined to be contrary to the applicable law or regulation. These terms shall also continue to apply after any termination of this Engagement Letter.

You accept and acknowledge that any legal proceedings arising from or in conjunction with the services provided under this Engagement Letter must be commenced within twelve (12) months after the performance of the services for which the action is brought, without consideration as to the time of discovery of any claim.

Other Matters

Neither this Engagement Letter, any claim, nor any rights or licenses granted hereunder may be assigned, delegated, or subcontracted by either party without the written consent of the other party. Either party may assign and transfer this Engagement Letter to any successor that acquires all or substantially all of the business or assets of such party by way of merger, consolidation, other business reorganization, or the sale of interest or assets, provided that the party notifies the other party in writing of such assignment and the successor agrees in writing to be bound by the terms and conditions of this Engagement Letter.

Our dedication to client service is carried out through our employees who are integral in meeting this objective. In recognition of the importance of our employees, it is hereby agreed that the Rock University High School will not solicit our employees for employment or enter into an independent contractor arrangement with any individual who is or was an employee of Baker Tilly US, LLP for a period of twelve (12) months following the date of the conclusion of this engagement. If the Rock University High School violates this non-solicitation clause, the Rock University High School agrees to pay to Baker Tilly US, LLP a fee equal to the hired person's annual salary at the time of the violation so as to reimburse Baker Tilly US, LLP for the costs of hiring and training a replacement.

Baker Tilly US, LLP, trading as Baker Tilly, is an independent member of Baker Tilly International. Baker Tilly International Limited is an English company. Baker Tilly International provides no professional services to clients. Each member firm is a separate and independent legal entity and each describes itself as such. Baker Tilly US, LLP is not Baker Tilly lnternational's agent and does not have the authority to bind Baker Tilly International or act on Baker Tilly lnternational's behalf. None of Baker Tilly International, Baker Tilly US, LLP, nor any of the other member firms of Baker Tilly International has any liability for each other's acts or omissions. The name Baker Tilly US, LLP and its associated logo is used under license from Baker Tilly International Limited.

This Engagement Letter constitutes the entire agreement between the Rock University High School and Baker Tilly US, LLP regarding the services described in this Engagement Letter and supersedes and incorporates all prior or contemporaneous representations, understandings or agreements, and may not be modified or amended except by an agreement in writing signed between the parties hereto.

The provisions of this Engagement Letter, which expressly or by implication are intended to survive its termination or expiration, will survive and continue to bind both parties. If any provision of this Engagement Letter is declared or found to be illegal, unenforceable or void, then both parties shall be relieved of all obligations arising under such provision, but if the remainder of this Engagement Letter shall not be affected by such declaration or finding and is capable of substantial performance, then each provision not so affected shall be enforced to the extent permitted by law or applicable professional standards.

If because of a change in the Rock University High School's status or due to any other reason, any provision in this Engagement Letter would be prohibited by, or would impair our independence under laws, regulations or published interpretations by governmental bodies, commissions or other regulatory agencies, such provision shall, to that extent, be of no further force and effect and this agreement shall consist of the remaining portions.

This agreement shall be governed by and construed in accordance with the laws of the state of Wisconsin, without giving effect to the provisions relating to conflict of laws.

We appreciate the opportunity to be of service to you.

If there are any questions regarding this Engagement Letter, please contact Wendi M. Unger, the engagement partner on this engagement who is responsible for the overall supervision and review of the engagement and determining that the engagement has been completed in accordance with professional standards. Wendi M. Unger is available at 414 777 5423, or at wendi.unger@bakertilly.com.

Sincerely, 
BAKER TILLY US, LLP

@MoSS6DAMS
Report on the Firm's System of Quality Control

September 26, 2018

To the Partners of Baker Tilly Vlrchow Krause, LLP and the AICPA National Peer Review Committee We have reviewed the system of quality control for the accounting and auditing practice of Baker Tilly Virchow Krause, LLP (the firm) applicable to engagements not subject to PCAOB permanent inspection In effect for the year ended March 31, 2018. Our peerrevlew was conducted In accordance with the Standards for Performing and Reporting on Peer Reviews established by the Peer Review Board of the American Institute of Certified Public Accountants (Standards).

A summary of the nature, objectives, scope, limitations of, and the procedures perfonmed in a System Review as described in the Standards may be found at www.aicpa.org/prsummary. The summary also Includes an explanation of how engagements identified as not performed or reported in conformity with applicable professional standards, if any, are evaluated by a peer reviewer to determine a peer review rating.

Peer Reviewer's Responsibility

Our responsibility is to express an opinion on the design of the system of quality control and the firm's

compliance therewith based on our review.

Required Selections and Considerations

Engagements selected for review included engagements performed under Government Auditing Standaids, including compliance audits under the Single Audit Act, audits of employee benefit plans, audits perfonmed under FDICIA, an audit of a broker-dealer, and examinations of service organizations [SOC 1 and SOC 2 engagements].

As a part of our peer review, we considered reviews by regulatory entities as communicated by then firm, if applicable, in determining the nature and extent of our procedures.

Opinion

In our opinion, the system of quality control for the accounting and auditing practice of Baker Tilly Virchow Krause, LLP applicable to engagements not subject to PCAOB permanent inspection in effect for the year ended March 31, 2018, has been suitably designed and complied with to provide the firm with reasonable assurance of performing and reporting in confonmity with applicable professional standards in all material respects. Firms can receive a rating of pass, pass with deficiency(ies) or fail. Baker Tilly Virchow Krause, LLP has received a peer review rating of pass.

1 fl.da.vu) LL{)

Firm's Responsibility

The firm is responsible for designing a system of quality control and complying with it to provide the firm with reasonable assurance of performing and reporting in conformity with applicable professional standards 1n all material respects. The finm Is also responsible for evaluating actions to promptly remediate engagements deemed as not performed or reported in conformity with professional standards, when appropriate, and for remediating weaknesses in its system of quality control, if any.

BUSINESS ASSOCIATE AGREEMENT BETWEEN ROCK UNIVERSITY HIGH SCHOOL and BAKER TILLY US, LLP

THIS BUSINESS ASSOCIATE AGREEMENT ("BA Agreement") replaces previous business associate agreements between Baker Tilly US, LLP ("Business Associate") and Rock University High School ("Covered Entity") (each a "Party" and collectively the "Parties") and is effective on July 25, 2021 ("Effective Date"). 

PREAMBLE 
Covered Entity and Business Associate enter into this BA Agreement to comply with the requirements of: (i) the implementing regulations at 45 C.F.R Parts 160, 162 and 164 for the Administrative Simplification provisions of Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996 ("HIPM") (i.e., the HIPM Privacy, Security, Electronic Transaction, Breach Notification and Enforcement Rules the (Implementing Regulations)), (ii) the requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 the ("HITECH Act") that are applicable to business associates and (iii) the requirements of the final modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules as issued on January 25, 2013, and effective March 26, 2013, (75 Fed. Reg. 5566 (Jan. 25, 2013)) the (Final Regulations). The Implementing Regulations, the HITECH Act and the Final Regulations are collectively referred to in this BA Agreement as the "HIPM Requirements."

Covered Entity and Business Associate agree to incorporate into this BA Agreement any regulations issued by the U.S. Department of Health and Human Services ("DHHS") with respect to the HIPM Requirements that relate to the obligations of business associates and that are required to be (or should be) reflected in a business associate agreement. Business Associate recognizes and agrees that it is obligated by law to meet the applicable provisions of the HIPM Requirements and that it has direct liability for any violations of the HIPM Requirements.

DEFINITIONS

• "Breach" shall mean, as defined in 45 C.F.R. § 164.402, the acquisition, access, use or disclosure of Unsecured Protected Health Information in a manner not permitted by the HIPM Requirements that compromises the security or privacy of that Protected Health Information.
• "Business Associate Subcontractor" shall mean, as defined in 45 C.F.R. § 160.103, any entity (including an agent) that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate.
• "Electronic PHI" shall mean, as defined in 45 C.F.R. § 160.103, Protected Health Information that is transmitted or maintained in any Electronic Media.
• "Limited Data Set" shall mean, as defined in 45 C.F.R. § 164.514(e), Protected Health Information that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:

(i)      Names;
(ii)     Postal address information, other than town or city, State and zip code; 
(iii)    Telephone numbers;
(iv)    Fax numbers;
(v)     Electronic mail addresses;
(vi)   Social security numbers;
(vii)   Medical record numbers;
(viii)  Health plan beneficiary numbers;
(ix)    Account numbers;
(x)    Certificate/license numbers;
(xi)    Vehicle identifiers and serial numbers, including license plate numbers;
(xii)   Device identifiers and serial numbers;
(xiii)  Web Universal Resource Locators ("URLs");
(xiv)  Internet Protocol ("IP") address numbers;
(xv)  Biometric identifiers, including finger and voice prints; and 
(xvi) Full face photographic images and any comparable images.

"Protected Health Information" or "PHI" shall mean, as defined in 45 C.F.R. § 160.103, information created or received by a Health Care Provider, Health Plan, employer or Health Care Clearinghouse, that (i) relates to the past, present or future physical or mental health or condition of an individual, provision of health care to the individual or the past, present or future payment for provision of health care to the individual, (ii) identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual and (iii) is transmitted or maintained in an electronic medium, or in any other form or medium. The use of the term "Protected Health Information" or "PHI" in this BA Agreement shall mean both Electronic PHI and non-Electronic PHI, unless another meaning is clearly specified.

• "Security Incident" shall mean, as defined in 45 C.F.R. § 164.304, the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.
•  "Unsecured Protected Health Information" shall mean, as defined in 45 C.F.R. § 164.402, Protected Health Information that is not rendered unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or methodology specified by DHHS.
•  All other capitalized terms used in this BA Agreement shall have the meanings set forth in the applicable definitions under the HIPAA Requirements.

GENERAL TERMS

•  In the event of an inconsistency between the provisions of this BA Agreement and a mandatory term of the HIPAA Requirements (as these terms may be expressly amended from time to time by the DHHS or as a result of interpretations by DHHS, a court or another regulatory agency with authority over the Parties), the interpretation of DHHS, such court or regulatory agency shall prevail. In the event of a conflict among the interpretations of these entities, the conflict shall be resolved in accordance with rules of precedence.
• Where provisions of this BA Agreement are different from those mandated by the HIPAA Requirements, but are nonetheless permitted by the HIPAA Requirements, the provisions of this BA Agreement shall control.
• Except as expressly provided in the HIPAA Requirements or this BA Agreement, this BA Agreement does not create any rights in third parties.

SPECIFIC REQUIREMENTS

• Flow-Down of Obligations to Business Associate Subcontractors. Business Associate agrees that as required by the HIPAA Requirements, Business Associate will enter into a written agreement with all Business Associate Subcontractors that: (i) requires them to comply with the Privacy and Security Rule provisions of this BA Agreement in the same manner as required of Business Associate and (ii) notifies such Business Associate Subcontractors that they will incur liability under the HIPAA Requirements for non-compliance with such provisions. Accordingly, Business Associate shall ensure that all Business Associate Subcontractors agree in writing to the same privacy and security restrictions, conditions and requirements that apply to Business Associate with respect to PHI.
• Privacy of Protected Health Information

Permitted Uses and Disclosures of PHI. Business Associate agrees to create, receive, use, disclose, maintain or transmit PHI only in a manner that Is consistent with this BA Agreement or the HIPM Requirements and only in connection with providing the services to Covered Entity identified in the Engagement Letter and this BA Agreement. Accordingly, in providing services to or for the Covered Entity, Business Associate, for example, will be permitted to use and disclose PHI for "Treatment, Payment, and Health Care Operations," as those terms are defined in the HIPM Requirements. Business Associate further agrees that to the extent it is carrying out one or more of the Covered Entity's obligations under the Privacy Rule (Subpart E of 45 C.F.R. Part 164), it shall comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligations.

 

• Business Associate shall report to Covered Entity any use or disclosure of PHI that is not provided for in this BA Agreement, including reporting Breaches of Unsecured Protected Health Information as required by 45 C.F.R. § 164.410 and required by Section 4(d)(ii) below.
• Business Associate shall establish, implement and maintain appropriate safeguards and comply with the Security Standards (Subpart C of 45 C.F.R. Part 164) with respect to Electronic PHI, as necessary to prevent any use or disclosure of PHI other than as provided for by this BA Agreement.

(ii)     Business Associate Obligations. As permitted by the HIPAA Requirements, Business Associate also may use or disclose PHI received by the Business Associate in its capacity as a Business Associate to the Covered Entity for Business Associate's own operations if:

• the use relates to: (1) the proper management and administration of the Business Associate or to carry out legal responsibilities of the Business Associate or (2) data aggregation services relating to the health care operations of the Covered Entity or
• the disclosure of information received in such capacity will be made in connection with a function, responsibility or services to be performed by the Business Associate, and such disclosure is required by law or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that ii will be held confidential and the person agrees to notify the Business Associate of any Breaches of confidentiality.
• Minimum Necessary Standard and Creation of Limited Data Set. Business Associate's use, disclosure or request of PHI shall utilize a Limited Data Set if practicable. Otherwise, in performing the functions and activities as specified in the Engagement Letter and this BA Agreement, Business Associate agrees to use, disclose or request only the minimum necessary PHI to accomplish the intended

· purpose of the use, disclosure or request.

Access. In accordance with 45 C.F.R. § 164.524 of the HIPM Requirements, Business Associate will make available to the Covered Entity (or as directed by the Covered Entity, to those individuals who are the subject of the PHI (or their designees)), their PHI in the Designated Record Set. Business Associate shall make such information available in an electronic format where directed by the Covered Entity.

Disclosure Accounting. Business Associate shall make available the information necessary to provide an accounting of disclosures of PHI as provided for in 45 C.F.R. § 164.528 of the HIPM Requirements by making such information available to the Covered Entity or (at the direction of the Covered Entity) making such information available directly to the individual.

(vi)    Amendment. Business Associate shall make PHI in a Designated Record Set available for amendment and, as directed by the Covered Entity, incorporate any amendment to PHI in accordance with 45 C.F.R. § 164.526 of the HIPM Requirements.

(vii)   Right to Request Restrictions on the Disclosure of PHI and Confidential Communications. If an individual submits a Request for Restriction or Request for Confidential Communications to the Business Associate, Business Associate and Covered Entity agree that Business Associate, on behalf of Covered Entity, will evaluate and respond to these requests according to Business Associate's own procedures for such requests.

(viii)  Return or Destruction of PHI. Upon the termination or expiration of the Engagement Letter or this BA Agreement, Business Associate agrees to return the PHI to Covered Entity, destroy the PHI (and retain no copies) or if Business Associate determines that return or destruction of the PHI is not feasible, (a) continue to extend the protections of this BA Agreement and of the HIPM Requirements to the PHI and (b) limit any further uses and disclosures of the PHI to the purpose making return or destruction infeasible.

(ix)    Availability of Books and Records. Business Associate shall make available to DHHS or its agents the Business Associate's internal practices, books and records relating to the use and disclosure of PHI in connection with this BA Agreement.

(x)     Termination for Breach.

(1)  Business Associate agrees that Covered Entity shall have the right to terminate this BA Agreement or seek other remedies if Business Associate violates a material term of this BA Agreement.

(2)  Covered Entity agrees that Business Associate shall have the right to terminate this BA Agreement or seek other remedies if Covered Entity violates a material term of this BA Agreement.

(c)           Information and Security Standards

(i)      Business Associate will develop, document, implement, maintain and use appropriate Administrative, Technical and Physical Safeguards to preserve the Integrity, Confidentiality and Availability of, and to prevent non-permitted use or disclosure of, Electronic PHI created or received for or from the Covered Entity.

(ii)     Business Associate agrees that with respect to Electronic PHI, these Safeguards, at a minimum, shall meet the requirements of the HIPAA Security Standards applicable to Business Associate.

(iii)    More specifically, to comply with the HIPM Security Standards for Electronic PHI, Business Associate agrees that it shall:

(1) Implement Administrative, Physical and Technical Safeguards consistent with (and as required by) the HIPM Security Standards that reasonably protect the Confidentiality, Integrity and Availability of Electronic PHI that Business Associate creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate shall develop and implement policies and procedures that meet the documentation requirements as required by the HIPM Requirements;

(2) As also provided for in Section 4(a) above, ensure that any Business Associate Subcontractor agrees to implement reasonable and appropriate safeguards to protect the Electronic PHI;

(3) Report to Covered Entity any unauthorized access, use, disclosure, modification or destruction of PHI (including Electronic PHI) not permitted by this BA Agreement, applicable law or permitted by Covered Entity in writing ("Successful Security Incidents" or Breaches) of which Business Associate becomes aware. Business Associate shall report such Successful Security Incidents or Breaches to Covered Entity as specified in Section 4(d)(iii)(1);

(4) For Security Incidents that do not result in unauthorized access, use, disclosure, modification or destruction of PHI (including, for purposes of example and not for purposes of limitation, pings on Business Associate's firewall, port scans, attempts to log onto a system or enter a database with an invalid password or username, denial-of-service attacks that do not result in the system being taken off-line or malware such as worms or viruses) ("Unsuccessful Security Incidents"), aggregate the data and, upon the Covered Entity's written request, report to the Covered Entity in accordance with the reporting requirements identified in Section 4(d)(iii)(2);

(5) Take all commercially reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate resulting from any unauthorized access, use, disclosure, modification or destruction of PHI;

(6) Permit termination of this BA Agreement if the Covered Entity determines that Business Associate has violated a material term of this BA Agreement with respect to Business Associate's security obligations and Business Associate is unable to cure the violation; and

(7) Upon Covered Entity's request, provide Covered Entity with access to and copies of documentation regarding Business Associate's safeguards for PHI and Electronic PHI.

 

Notice and Reporting Obligations of Business Associate

 

(i)      Notice of Non-Compliance with the BA Agreement. Business Associate will notify Covered Entity within 30 calendar days after discovery, any unauthorized access, use, disclosure, modification or destruction of PHI (including any successful Security Incident) that is not permitted by this BA Agreement, by applicable law or permitted in writing by Covered Entity, whether such non-compliance is by (or at) Business Associate or by (or at) a Business Associate Subcontractor.

(ii)     Notice of Breach. Business Associate will notify Covered Entity following discovery and without unreasonable delay but in no event later than 30 calendar days following discovery, any Breach of Unsecured Protected Health Information, whether such Breach is by Business Associate or by Business Associate Subcontractor.

(1) As provided for in 45 C.F.R. § 164.402, Business Associate recognizes and agrees that any acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPM Privacy Rule (Subpart E of45 C.F.R. Part 164) is presumed to be a Breach. As such, Business Associate shall (i) notify Covered Entity of any non-permitted acquisition, access, use or disclosure of PHI and (ii) assist Covered Entity in performing (or at Covered Entity's direction, perform) a risk assessment to determine if there is a low probability that the PHI has been compromised.

(2) Business Associate shall cooperate with Covered Entity in meeting the Covered Entity's obligations under the HIPM Requirements and any other security breach notification laws. Business Associate shall follow its notification to the Covered Entity with a report that meets the requirements outlined immediately below.

(iii)    Reporting Obligations.

(1) For Successful Security Incidents and Breaches, Business Associate - without unreasonable delay and in no event later than 30 calendar days after Business Associate learns of such non-permitted use or disclosure (whether at Business Associate or at Business Associate Subcontractor) - shall provide Covered Entity a report that will:

a.   Identify (if known) each individual whose Unsecured Protected Health Information has been or is reasonably believed by Business Associate to have been accessed, acquired or disclosed;

b.   Identify the nature of the non-permitted access, use or disclosure including the date of the incident and the date of discovery;

c.   Identify the PHI accessed, used or disclosed (e.g., name; social security number; date of birth);

d.   Identify what corrective action Business Associate (or Business Associate Subcontractor) took or will take to prevent further non-permitted accesses, uses or disclosures;

e.   Identify what Business Associate (or Business Associate Subcontractor) did or will do to mitigate any deleterious effect of the non-permitted access, use or disclosure; and

f.    Provide such other information, including a written report, as the Covered Entity may reasonably request.

(2) For Unsuccessful Security Incidents, Business Associate shall provide Covered Entity, upon its written request, a report that:

a.   identifies the categories of Unsuccessful Security Incidents as described in Section 4(c)(iii)(4),

b.   indicates whether Business Associate believes its (or its Business Associate Subcontractor's) current defensive security measures are adequate to address all Unsuccessful Security Incidents, given the scope and nature of such attempts and

c.   if the security measures are not adequate, the measures Business Associate (or Business Associate Subcontractor) will implement to address the security inadequacies.

(iv)    Termination.

(1) Covered Entity and Business Associate each will have the right to terminate this BA Agreement if the other Party has engaged in a pattern of activity or practice that constitutes a material breach or violation of Business Associate's or the Covered Entity's respective obligations regarding PHI under this BA Agreement and, on notice of such material breach or violation from the Covered Entity or Business Associate, fails to take reasonable steps to cure the material breach or end the violation.

(2) If Business Associate or Covered Entity fail to cure the material breach or end the violation after the other Party's notice, Covered Entity or Business Associate (as applicable) may terminate this BA Agreement by providing Business Associate or Covered Entity written notice of termination, stating the uncured material breach or violation that provides the basis for the termination and specifying the effective date of the termination. Such termination shall be effective 60 days from this termination notice.

(v)     Continuing Privacy and Security Obligations. Business Associate's and Covered Entity's obligation to protect the privacy and security of the PHI it created, received, maintained or transmitted in connection with services to be provided under the Engagement Letter and this BA Agreement will be continuous and survive termination, cancellation, expiration or other conclusion of this BA Agreement or the Engagement Letter. Business Associate's other obligations and rights, and Covered Entity's obligations and rights upon termination, cancellation, expiration or other conclusion of this BA Agreement, are those set forth in this BA Agreement and/or the Engagement Letter.

IN WITNESS WHEREOF, the Parties have signed this BA Agreement on the dates indicated below. BAKER TILLY US, LLP                                                    Rock University High School