FAC Explorer

Audit 12444

FY End
2023-06-30
Total Expended
$15.28M
Findings
12
Programs
16
Organization: Anne Arundel Community College (MD)
Year: 2023 Accepted: 2024-01-19
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
9095 2023-001 Significant Deficiency - N
9096 2023-001 Significant Deficiency - N
9097 2023-001 Significant Deficiency - N
9098 2023-001 Significant Deficiency - N
9099 2023-002 Significant Deficiency - N
9100 2023-002 Significant Deficiency - N
585537 2023-001 Significant Deficiency - N
585538 2023-001 Significant Deficiency - N
585539 2023-001 Significant Deficiency - N
585540 2023-001 Significant Deficiency - N
585541 2023-002 Significant Deficiency - N
585542 2023-002 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.063 Federal Pell Grant Program $8.16M Yes 2
84.268 Federal Direct Student Loans $4.82M Yes 2
84.002 Adult Education - Basic Grants to States $363,639 - 0
84.007 Federal Supplemental Educational Opportunity Grants $332,550 Yes 1
84.033 Federal Work-Study Program $130,895 Yes 1
16.525 Grants to Reduce Domestic Violence, Dating Violence, Sexual Assault, and Stalking on Campus $95,272 - 0
12.903 Gencyber Grants Program $67,378 - 0
47.076 Education and Human Resources $38,339 - 0
84.048 Career and Technical Education -- Basic Grants to States $17,203 - 0
17.258 Wia Adult Program $14,539 - 0
45.162 Promotion of the Humanities_teaching and Learning Resources and Curriculum Development $12,457 - 0
17.259 Wia Youth Activities $11,930 - 0
84.425 Education Stabilization Fund $11,565 - 0
17.278 Wia Dislocated Worker Formula Grants $10,811 - 0
17.285 Apprenticeship USA Grants $9,549 - 0
93.136 Injury Prevention and Control Research and State and Community Based Programs $9,221 - 0

Contacts

Name Title Type
CYN8HKRHAQF9 Lisa Libby Auditee
4107772288 Christina Bowman Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following, as applicable, the cost principles contained in Title 2 U.S. Code of Federal Regulations Part 200; Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass- through entity identifying numbers are presented in the schedule. The College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The College uses an approved federally-negotiated indirect cost rate. The accompanying schedule of expenditures of federal awards includes the federal grant activity of the College and is presented on the accrual basis of accounting. The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Therefore, some amounts presented in this schedule may differ from amounts presented in, or used in the preparation of, the basic financial statements. Because the Schedule presents only a selected portion of the operations of the College, it is not intended to and does not present the changes in net position or cash flows of the College. All of the College’s federal awards were in the form of cash assistance for the year ended June 30, 2023.
Title: Summary of Significant Accounting Policies Accounting Policies: Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following, as applicable, the cost principles contained in Title 2 U.S. Code of Federal Regulations Part 200; Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass- through entity identifying numbers are presented in the schedule. The College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The College uses an approved federally-negotiated indirect cost rate. Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following, as applicable, the cost principles contained in Title 2 U.S. Code of Federal Regulations Part 200; Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass- through entity identifying numbers are presented in the schedule. The College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance.
Title: Loan Programs Accounting Policies: Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following, as applicable, the cost principles contained in Title 2 U.S. Code of Federal Regulations Part 200; Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass- through entity identifying numbers are presented in the schedule. The College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The College uses an approved federally-negotiated indirect cost rate. During the year ended June 30, 2023, the College processed the following amount of new loans under the Federal Direct Lending program. Since this program is administered by outside financial institutions, new loans made during the fiscal year relating to this program are considered current year expenditures in the schedule. ALN:84.268 Program Name: Federal Direct Lending Loan Expenditures: $4,815,370
Title: Reconcilation to the Basic Financial Statements Accounting Policies: Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following, as applicable, the cost principles contained in Title 2 U.S. Code of Federal Regulations Part 200; Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass- through entity identifying numbers are presented in the schedule. The College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The College uses an approved federally-negotiated indirect cost rate. Total expenditures per the Schedule of Expenditures of Federal Awards reconciles to the College’s basic financial statements for the year ended June 30, 2023, as follows: Governmental grant and contracts, Statements of Revenues, Expenses and Changes In Net Position $10,465,662 Add: Loan disbursements not included in financial statements but on the schedule $4,815,370 Total expenditures per the schedule $15,281,032

Finding Details

Finding 2023-001
2023-001: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Finacial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P007A221715, P033A221715, Po63P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control - Per 2 CFR section 200.303(a), a non-Federal entity must Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2023: Conduct a periodic inventory of data, noting where it's collected, stored or transmitted. Encrypt customer information on the institution's system and when it's in transit; Implement multi-factor authentication for anyone accessing customer information on the institution's system; Maintain a log of authorized users' activity and keep an eye out for unauthorized access; and, Provides for the institution to regularly test or otherwise monitor effectiveness of the safeguards it has implemented (16 CFR 314.4(d)) Cause: The College engaged an external consultant to aid in the development of comprehensive written information security program, but the resulting written policies and procedures were not complete as of the June 2023 deadline. However the College had implemented the required actions under the requirements, and was actively managing information security within the intent of the requirements. The program was later written to codify College process. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: Management acknowledges that the policy components were not in a written comprehensive format, however the College was and continues to conduct those actions required in a written plan, and subsequent to the deadline has created the written documents to satisfy the requirements without compromise to any student information
Finding 2023-001
2023-001: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Finacial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P007A221715, P033A221715, Po63P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control - Per 2 CFR section 200.303(a), a non-Federal entity must Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2023: Conduct a periodic inventory of data, noting where it's collected, stored or transmitted. Encrypt customer information on the institution's system and when it's in transit; Implement multi-factor authentication for anyone accessing customer information on the institution's system; Maintain a log of authorized users' activity and keep an eye out for unauthorized access; and, Provides for the institution to regularly test or otherwise monitor effectiveness of the safeguards it has implemented (16 CFR 314.4(d)) Cause: The College engaged an external consultant to aid in the development of comprehensive written information security program, but the resulting written policies and procedures were not complete as of the June 2023 deadline. However the College had implemented the required actions under the requirements, and was actively managing information security within the intent of the requirements. The program was later written to codify College process. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: Management acknowledges that the policy components were not in a written comprehensive format, however the College was and continues to conduct those actions required in a written plan, and subsequent to the deadline has created the written documents to satisfy the requirements without compromise to any student information
Finding 2023-001
2023-001: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Finacial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P007A221715, P033A221715, Po63P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control - Per 2 CFR section 200.303(a), a non-Federal entity must Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2023: Conduct a periodic inventory of data, noting where it's collected, stored or transmitted. Encrypt customer information on the institution's system and when it's in transit; Implement multi-factor authentication for anyone accessing customer information on the institution's system; Maintain a log of authorized users' activity and keep an eye out for unauthorized access; and, Provides for the institution to regularly test or otherwise monitor effectiveness of the safeguards it has implemented (16 CFR 314.4(d)) Cause: The College engaged an external consultant to aid in the development of comprehensive written information security program, but the resulting written policies and procedures were not complete as of the June 2023 deadline. However the College had implemented the required actions under the requirements, and was actively managing information security within the intent of the requirements. The program was later written to codify College process. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: Management acknowledges that the policy components were not in a written comprehensive format, however the College was and continues to conduct those actions required in a written plan, and subsequent to the deadline has created the written documents to satisfy the requirements without compromise to any student information
Finding 2023-001
2023-001: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Finacial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P007A221715, P033A221715, Po63P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control - Per 2 CFR section 200.303(a), a non-Federal entity must Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2023: Conduct a periodic inventory of data, noting where it's collected, stored or transmitted. Encrypt customer information on the institution's system and when it's in transit; Implement multi-factor authentication for anyone accessing customer information on the institution's system; Maintain a log of authorized users' activity and keep an eye out for unauthorized access; and, Provides for the institution to regularly test or otherwise monitor effectiveness of the safeguards it has implemented (16 CFR 314.4(d)) Cause: The College engaged an external consultant to aid in the development of comprehensive written information security program, but the resulting written policies and procedures were not complete as of the June 2023 deadline. However the College had implemented the required actions under the requirements, and was actively managing information security within the intent of the requirements. The program was later written to codify College process. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: Management acknowledges that the policy components were not in a written comprehensive format, however the College was and continues to conduct those actions required in a written plan, and subsequent to the deadline has created the written documents to satisfy the requirements without compromise to any student information
Finding 2023-002
2023-002: Special Tests and Provisions - NSLDS Program - Level Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or Specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported to NSLDS based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: If the school has published, in it's catalog, on it's website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school published. If the school has not published a program length and the program is an associate or bachelor's degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. For all other programs for which the school has not published a program length, the program length is based on the school's determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The associate degree programs were not reported as two years per the recommendation in the NSLDS enrollment reporting guide. Questioned costs: None Context: The condition occurred for 38 out of the 40 students tested Cause: The program length reported to NSLDS for associate degree programs is maintained in the College ERP system based on program length in months and was not converted to years as recommended in the NSLDS enrollment reporting guide. Effect: The NSLDS system calculated the program length at 2.678 years. Repeat Finding: No Recommendation: We recommend the College report associate degree program length to NSLDS as two years. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023-002: Special Tests and Provisions - NSLDS Program - Level Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or Specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported to NSLDS based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: If the school has published, in it's catalog, on it's website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school published. If the school has not published a program length and the program is an associate or bachelor's degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. For all other programs for which the school has not published a program length, the program length is based on the school's determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The associate degree programs were not reported as two years per the recommendation in the NSLDS enrollment reporting guide. Questioned costs: None Context: The condition occurred for 38 out of the 40 students tested Cause: The program length reported to NSLDS for associate degree programs is maintained in the College ERP system based on program length in months and was not converted to years as recommended in the NSLDS enrollment reporting guide. Effect: The NSLDS system calculated the program length at 2.678 years. Repeat Finding: No Recommendation: We recommend the College report associate degree program length to NSLDS as two years. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Finacial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P007A221715, P033A221715, Po63P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control - Per 2 CFR section 200.303(a), a non-Federal entity must Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2023: Conduct a periodic inventory of data, noting where it's collected, stored or transmitted. Encrypt customer information on the institution's system and when it's in transit; Implement multi-factor authentication for anyone accessing customer information on the institution's system; Maintain a log of authorized users' activity and keep an eye out for unauthorized access; and, Provides for the institution to regularly test or otherwise monitor effectiveness of the safeguards it has implemented (16 CFR 314.4(d)) Cause: The College engaged an external consultant to aid in the development of comprehensive written information security program, but the resulting written policies and procedures were not complete as of the June 2023 deadline. However the College had implemented the required actions under the requirements, and was actively managing information security within the intent of the requirements. The program was later written to codify College process. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: Management acknowledges that the policy components were not in a written comprehensive format, however the College was and continues to conduct those actions required in a written plan, and subsequent to the deadline has created the written documents to satisfy the requirements without compromise to any student information
Finding 2023-001
2023-001: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Finacial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P007A221715, P033A221715, Po63P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control - Per 2 CFR section 200.303(a), a non-Federal entity must Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2023: Conduct a periodic inventory of data, noting where it's collected, stored or transmitted. Encrypt customer information on the institution's system and when it's in transit; Implement multi-factor authentication for anyone accessing customer information on the institution's system; Maintain a log of authorized users' activity and keep an eye out for unauthorized access; and, Provides for the institution to regularly test or otherwise monitor effectiveness of the safeguards it has implemented (16 CFR 314.4(d)) Cause: The College engaged an external consultant to aid in the development of comprehensive written information security program, but the resulting written policies and procedures were not complete as of the June 2023 deadline. However the College had implemented the required actions under the requirements, and was actively managing information security within the intent of the requirements. The program was later written to codify College process. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: Management acknowledges that the policy components were not in a written comprehensive format, however the College was and continues to conduct those actions required in a written plan, and subsequent to the deadline has created the written documents to satisfy the requirements without compromise to any student information
Finding 2023-001
2023-001: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Finacial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P007A221715, P033A221715, Po63P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control - Per 2 CFR section 200.303(a), a non-Federal entity must Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2023: Conduct a periodic inventory of data, noting where it's collected, stored or transmitted. Encrypt customer information on the institution's system and when it's in transit; Implement multi-factor authentication for anyone accessing customer information on the institution's system; Maintain a log of authorized users' activity and keep an eye out for unauthorized access; and, Provides for the institution to regularly test or otherwise monitor effectiveness of the safeguards it has implemented (16 CFR 314.4(d)) Cause: The College engaged an external consultant to aid in the development of comprehensive written information security program, but the resulting written policies and procedures were not complete as of the June 2023 deadline. However the College had implemented the required actions under the requirements, and was actively managing information security within the intent of the requirements. The program was later written to codify College process. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: Management acknowledges that the policy components were not in a written comprehensive format, however the College was and continues to conduct those actions required in a written plan, and subsequent to the deadline has created the written documents to satisfy the requirements without compromise to any student information
Finding 2023-001
2023-001: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Finacial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P007A221715, P033A221715, Po63P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control - Per 2 CFR section 200.303(a), a non-Federal entity must Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2023: Conduct a periodic inventory of data, noting where it's collected, stored or transmitted. Encrypt customer information on the institution's system and when it's in transit; Implement multi-factor authentication for anyone accessing customer information on the institution's system; Maintain a log of authorized users' activity and keep an eye out for unauthorized access; and, Provides for the institution to regularly test or otherwise monitor effectiveness of the safeguards it has implemented (16 CFR 314.4(d)) Cause: The College engaged an external consultant to aid in the development of comprehensive written information security program, but the resulting written policies and procedures were not complete as of the June 2023 deadline. However the College had implemented the required actions under the requirements, and was actively managing information security within the intent of the requirements. The program was later written to codify College process. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: Management acknowledges that the policy components were not in a written comprehensive format, however the College was and continues to conduct those actions required in a written plan, and subsequent to the deadline has created the written documents to satisfy the requirements without compromise to any student information
Finding 2023-002
2023-002: Special Tests and Provisions - NSLDS Program - Level Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or Specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported to NSLDS based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: If the school has published, in it's catalog, on it's website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school published. If the school has not published a program length and the program is an associate or bachelor's degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. For all other programs for which the school has not published a program length, the program length is based on the school's determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The associate degree programs were not reported as two years per the recommendation in the NSLDS enrollment reporting guide. Questioned costs: None Context: The condition occurred for 38 out of the 40 students tested Cause: The program length reported to NSLDS for associate degree programs is maintained in the College ERP system based on program length in months and was not converted to years as recommended in the NSLDS enrollment reporting guide. Effect: The NSLDS system calculated the program length at 2.678 years. Repeat Finding: No Recommendation: We recommend the College report associate degree program length to NSLDS as two years. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023-002: Special Tests and Provisions - NSLDS Program - Level Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or Specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported to NSLDS based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: If the school has published, in it's catalog, on it's website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school published. If the school has not published a program length and the program is an associate or bachelor's degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. For all other programs for which the school has not published a program length, the program length is based on the school's determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The associate degree programs were not reported as two years per the recommendation in the NSLDS enrollment reporting guide. Questioned costs: None Context: The condition occurred for 38 out of the 40 students tested Cause: The program length reported to NSLDS for associate degree programs is maintained in the College ERP system based on program length in months and was not converted to years as recommended in the NSLDS enrollment reporting guide. Effect: The NSLDS system calculated the program length at 2.678 years. Repeat Finding: No Recommendation: We recommend the College report associate degree program length to NSLDS as two years. Views of responsible officials: There is no disagreement with the audit finding.