FAC Explorer

Audit 1111

FY End
2023-06-30
Total Expended
$18.71M
Findings
18
Programs
14
Organization: Augustana College (IL)
Year: 2023 Accepted: 2023-10-24
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
558 2023-001 Significant Deficiency - N
559 2023-001 Significant Deficiency - N
560 2023-001 Significant Deficiency - N
561 2023-001 Significant Deficiency - N
562 2023-001 Significant Deficiency - N
563 2023-001 Significant Deficiency - N
564 2023-001 Significant Deficiency - N
565 2023-001 Significant Deficiency - N
566 2023-001 Significant Deficiency - N
577000 2023-001 Significant Deficiency - N
577001 2023-001 Significant Deficiency - N
577002 2023-001 Significant Deficiency - N
577003 2023-001 Significant Deficiency - N
577004 2023-001 Significant Deficiency - N
577005 2023-001 Significant Deficiency - N
577006 2023-001 Significant Deficiency - N
577007 2023-001 Significant Deficiency - N
577008 2023-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $3.73M Yes 1
84.063 Federal Pell Grant Program $2.56M Yes 1
84.038 Federal Perkins Loan Program - Beginning Balance $1.66M Yes 1
84.033 Federal Work-Study Program $400,932 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $280,273 Yes 1
84.042 Trio_student Support Services $251,682 - 0
47.076 Education and Human Resources $219,436 - 0
16.525 Grants to Reduce Domestic Violence, Dating Violence, Sexual Assault, and Stalking on Campus $62,203 - 0
97.036 Disaster Grants - Public Assistance (presidentially Declared Disasters) $41,950 - 0
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $39,606 Yes 1
47.049 Mathematical and Physical Sciences $37,455 - 0
47.074 Biological Sciences $35,650 - 0
93.859 Biomedical Research and Research Training $1,775 - 0
84.038 Federal Perkins Loan Program - Loans Issued in 2023 $0 Yes 1

Contacts

Name Title Type
M49LL3GGY7B5 Kirk Anderson Auditee
3097947203 Chad Lassen, CPA Auditor
No contacts on file

Notes to SEFA

Title: BASIS FOR PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. The College has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. During the year ended June 30, 2023, the College did not pass any funds through to subrecipients. The Federal Emergency Management Agency’s (FEMA) expenditures reported on the Schedule were incurred in previous fiscal years and obligated by FEMA during the year ended June 30, 2023. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Augustana College (the College) under programs of the federal government for the year ended June 30, 2023. The information in the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, it is not intended and does not present the financial position, changes in net assets, or cash flows of the College.
Title: LOANS OUTSTANDING Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. The College has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. During the year ended June 30, 2023, the College did not pass any funds through to subrecipients. The Federal Emergency Management Agency’s (FEMA) expenditures reported on the Schedule were incurred in previous fiscal years and obligated by FEMA during the year ended June 30, 2023. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. As of June 30, 2023, Augustana College had the following federal loan program receivables from participating students: Program Title: Federal Perkins Loan Program (ALN 84.038) Amount: $1,149,468

Finding Details

Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were two missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of Augustana College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were two elements missing from their WISP. Section III – Findings and Questioned Costs – Major Federal Programs (Continued) 2023-001 Gramm-Leach-Bliley Act (GLBA) (Continued) Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.