Audit 14195

Federal Agency: Department of Education Federal Program: Student Financial Assistance Cluster ALN Numbers: 84.268 – Federal Direct Loan Program Award Period: July 1, 2022 through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance and Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309(b), states schools must have some arrangement to report student enrollment data to NSLDS through an enrollment roster file. The school is required to report changes in the student’s enrollment status, the effective date of the status, and an anticipated completion date. Also, the Code of Federal Regulations, 34 CFR 682.610, states that institutions must report accurately the enrollment status of all students regardless if they receive aid from the institution or not. Changes to said status are required to be reported within 30 days of becoming aware of the status change, or with the next scheduled transmission of statuses if the scheduled transmission is within 60 days. Condition: During our testing, we noted 4 out of the 8 students tested where the student was not reported in a timely manner after the school determined the students change in status. Furthermore, 4 out of the 8 students effective date per the institution did not match the enrollment effective date. Questioned Costs: None Context: During our testing, it was noted the Seminary did properly report the effective date to NSLDS based on the Seminary’s records. Cause: The Seminary did not determine graduate students effective date correctly due to extenuating circumstance. Effect: The enrollment effective date reported to NSLDS is used to determine when the student’s grace period should begin. By reporting an incorrect effective date, the grace period begin date for the student will be incorrect. Repeat Finding: Yes, 2022-001 Recommendation: We recommend the Seminary reevaluate its procedures and review policies surrounding reporting status changes to NSLDS to ensure timely reporting as well as put a process in place to ensure the enrollment effective date reported to NSLDS is aligning with the Seminary’s last date of attendance. Views of Responsible Officials: There is no disagreement with the audit finding.

Federal Agency: Department of Education Federal Program: Student Financial Assistance Cluster ALN Numbers: 84.268 – Federal Direct Loan Program Award Period: July 1, 2022 through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance and Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, we noted several steps missing from the Written Information Security Program (WISP). Questioned Costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were several elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the Seminary review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.

Federal Agency: Department of Education Federal Program: Student Financial Assistance Cluster ALN Numbers: 84.268 – Federal Direct Loan Program Award Period: July 1, 2022 through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance and Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309(b), states schools must have some arrangement to report student enrollment data to NSLDS through an enrollment roster file. The school is required to report changes in the student’s enrollment status, the effective date of the status, and an anticipated completion date. Also, the Code of Federal Regulations, 34 CFR 682.610, states that institutions must report accurately the enrollment status of all students regardless if they receive aid from the institution or not. Changes to said status are required to be reported within 30 days of becoming aware of the status change, or with the next scheduled transmission of statuses if the scheduled transmission is within 60 days. Condition: During our testing, we noted 4 out of the 8 students tested where the student was not reported in a timely manner after the school determined the students change in status. Furthermore, 4 out of the 8 students effective date per the institution did not match the enrollment effective date. Questioned Costs: None Context: During our testing, it was noted the Seminary did properly report the effective date to NSLDS based on the Seminary’s records. Cause: The Seminary did not determine graduate students effective date correctly due to extenuating circumstance. Effect: The enrollment effective date reported to NSLDS is used to determine when the student’s grace period should begin. By reporting an incorrect effective date, the grace period begin date for the student will be incorrect. Repeat Finding: Yes, 2022-001 Recommendation: We recommend the Seminary reevaluate its procedures and review policies surrounding reporting status changes to NSLDS to ensure timely reporting as well as put a process in place to ensure the enrollment effective date reported to NSLDS is aligning with the Seminary’s last date of attendance. Views of Responsible Officials: There is no disagreement with the audit finding.

Federal Agency: Department of Education Federal Program: Student Financial Assistance Cluster ALN Numbers: 84.268 – Federal Direct Loan Program Award Period: July 1, 2022 through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance and Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, we noted several steps missing from the Written Information Security Program (WISP). Questioned Costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were several elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the Seminary review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.