FAC Explorer

Audit 14454

FY End
2023-06-30
Total Expended
$20.80M
Findings
10
Programs
6
Organization: Piedmont University (GA)
Year: 2023 Accepted: 2024-01-30
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
10807 2023-001 Significant Deficiency - N
10808 2023-001 Significant Deficiency - N
10809 2023-001 Significant Deficiency - N
10810 2023-001 Significant Deficiency - N
10811 2023-001 Significant Deficiency - N
587249 2023-001 Significant Deficiency - N
587250 2023-001 Significant Deficiency - N
587251 2023-001 Significant Deficiency - N
587252 2023-001 Significant Deficiency - N
587253 2023-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $15.95M Yes 1
84.063 Federal Pell Grant Program $2.75M Yes 1
84.425 Education Stabilization Fund $1.34M - 0
84.033 Federal Work-Study Program $226,685 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $123,117 Yes 1
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $26,401 Yes 1

Contacts

Name Title Type
NGYMABXHNT49 Kristi Williams Auditee
7067760123 Christina Bowman Auditor
No contacts on file

Notes to SEFA

Title: FEDERAL LOANS DISBURSED Accounting Policies: The accompanying schedule of expenditures of federal awards includes the federal award activity of Piedmont University (the University) and is presented on the accrual basis of accounting. The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance); therefore, some amounts presented in this schedule may differ from amounts presented in, or used in the preparation of, the financial statements. De Minimis Rate Used: N Rate Explanation: There were no noncash awards in the current year. The University has elected not to use the 10% de minimis indirect cost rate for allocation. The University participates in the Federal Direct Loan Program, including Federal Stafford Loans (Stafford) and Federal PLUS Loans (PLUS). The dollar amounts are listed in the schedule of expenditures of federal awards, although the University is not the recipient of the funds. Such programs are considered a component of the student financial assistance cluster. Loans processed by the University under this Loan Program were the following for the year ended June 30, 2023: Federal Direct Loan Program Stafford Subsidized -- $2,986,740 Unsubsidized -- $10,953,107 PLUS -- $2,010,920 Total Federal Direct Loan Program -- $15,950,767

Finding Details

Finding 2023-001
Federal agency: Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Number: 84.033, 84.063, 84.007, 84.379, 84.268 Federal Award Identification Number and Year: P033A223771 (CWS 22‐23), P063P220377 (Pell 22‐23), P007A223771 (SEOG 22‐23), P379T230377 (Teach 22‐23), P268K230377 (Direct Loan 2023) Award Period: July 1, 2022, through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters) Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Condition: The University was not in compliance with GLBA. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and we identified that the organization does not meet the compliance requirements outlined in the GLBA Safeguards Rule. Specifically, discrepancies were identified in requirement B.3, pertaining to the implementation of periodic review and implementation of user access controls, encryption controls, the use of multi-factor authentication, and change management policy. Furthermore, it was noted that the written information security program (WISP) lacked any mention of penetration testing or vulnerability scans. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Number: 84.033, 84.063, 84.007, 84.379, 84.268 Federal Award Identification Number and Year: P033A223771 (CWS 22‐23), P063P220377 (Pell 22‐23), P007A223771 (SEOG 22‐23), P379T230377 (Teach 22‐23), P268K230377 (Direct Loan 2023) Award Period: July 1, 2022, through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters) Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Condition: The University was not in compliance with GLBA. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and we identified that the organization does not meet the compliance requirements outlined in the GLBA Safeguards Rule. Specifically, discrepancies were identified in requirement B.3, pertaining to the implementation of periodic review and implementation of user access controls, encryption controls, the use of multi-factor authentication, and change management policy. Furthermore, it was noted that the written information security program (WISP) lacked any mention of penetration testing or vulnerability scans. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Number: 84.033, 84.063, 84.007, 84.379, 84.268 Federal Award Identification Number and Year: P033A223771 (CWS 22‐23), P063P220377 (Pell 22‐23), P007A223771 (SEOG 22‐23), P379T230377 (Teach 22‐23), P268K230377 (Direct Loan 2023) Award Period: July 1, 2022, through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters) Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Condition: The University was not in compliance with GLBA. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and we identified that the organization does not meet the compliance requirements outlined in the GLBA Safeguards Rule. Specifically, discrepancies were identified in requirement B.3, pertaining to the implementation of periodic review and implementation of user access controls, encryption controls, the use of multi-factor authentication, and change management policy. Furthermore, it was noted that the written information security program (WISP) lacked any mention of penetration testing or vulnerability scans. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Number: 84.033, 84.063, 84.007, 84.379, 84.268 Federal Award Identification Number and Year: P033A223771 (CWS 22‐23), P063P220377 (Pell 22‐23), P007A223771 (SEOG 22‐23), P379T230377 (Teach 22‐23), P268K230377 (Direct Loan 2023) Award Period: July 1, 2022, through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters) Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Condition: The University was not in compliance with GLBA. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and we identified that the organization does not meet the compliance requirements outlined in the GLBA Safeguards Rule. Specifically, discrepancies were identified in requirement B.3, pertaining to the implementation of periodic review and implementation of user access controls, encryption controls, the use of multi-factor authentication, and change management policy. Furthermore, it was noted that the written information security program (WISP) lacked any mention of penetration testing or vulnerability scans. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Number: 84.033, 84.063, 84.007, 84.379, 84.268 Federal Award Identification Number and Year: P033A223771 (CWS 22‐23), P063P220377 (Pell 22‐23), P007A223771 (SEOG 22‐23), P379T230377 (Teach 22‐23), P268K230377 (Direct Loan 2023) Award Period: July 1, 2022, through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters) Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Condition: The University was not in compliance with GLBA. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and we identified that the organization does not meet the compliance requirements outlined in the GLBA Safeguards Rule. Specifically, discrepancies were identified in requirement B.3, pertaining to the implementation of periodic review and implementation of user access controls, encryption controls, the use of multi-factor authentication, and change management policy. Furthermore, it was noted that the written information security program (WISP) lacked any mention of penetration testing or vulnerability scans. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Number: 84.033, 84.063, 84.007, 84.379, 84.268 Federal Award Identification Number and Year: P033A223771 (CWS 22‐23), P063P220377 (Pell 22‐23), P007A223771 (SEOG 22‐23), P379T230377 (Teach 22‐23), P268K230377 (Direct Loan 2023) Award Period: July 1, 2022, through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters) Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Condition: The University was not in compliance with GLBA. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and we identified that the organization does not meet the compliance requirements outlined in the GLBA Safeguards Rule. Specifically, discrepancies were identified in requirement B.3, pertaining to the implementation of periodic review and implementation of user access controls, encryption controls, the use of multi-factor authentication, and change management policy. Furthermore, it was noted that the written information security program (WISP) lacked any mention of penetration testing or vulnerability scans. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Number: 84.033, 84.063, 84.007, 84.379, 84.268 Federal Award Identification Number and Year: P033A223771 (CWS 22‐23), P063P220377 (Pell 22‐23), P007A223771 (SEOG 22‐23), P379T230377 (Teach 22‐23), P268K230377 (Direct Loan 2023) Award Period: July 1, 2022, through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters) Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Condition: The University was not in compliance with GLBA. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and we identified that the organization does not meet the compliance requirements outlined in the GLBA Safeguards Rule. Specifically, discrepancies were identified in requirement B.3, pertaining to the implementation of periodic review and implementation of user access controls, encryption controls, the use of multi-factor authentication, and change management policy. Furthermore, it was noted that the written information security program (WISP) lacked any mention of penetration testing or vulnerability scans. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Number: 84.033, 84.063, 84.007, 84.379, 84.268 Federal Award Identification Number and Year: P033A223771 (CWS 22‐23), P063P220377 (Pell 22‐23), P007A223771 (SEOG 22‐23), P379T230377 (Teach 22‐23), P268K230377 (Direct Loan 2023) Award Period: July 1, 2022, through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters) Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Condition: The University was not in compliance with GLBA. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and we identified that the organization does not meet the compliance requirements outlined in the GLBA Safeguards Rule. Specifically, discrepancies were identified in requirement B.3, pertaining to the implementation of periodic review and implementation of user access controls, encryption controls, the use of multi-factor authentication, and change management policy. Furthermore, it was noted that the written information security program (WISP) lacked any mention of penetration testing or vulnerability scans. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Number: 84.033, 84.063, 84.007, 84.379, 84.268 Federal Award Identification Number and Year: P033A223771 (CWS 22‐23), P063P220377 (Pell 22‐23), P007A223771 (SEOG 22‐23), P379T230377 (Teach 22‐23), P268K230377 (Direct Loan 2023) Award Period: July 1, 2022, through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters) Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Condition: The University was not in compliance with GLBA. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and we identified that the organization does not meet the compliance requirements outlined in the GLBA Safeguards Rule. Specifically, discrepancies were identified in requirement B.3, pertaining to the implementation of periodic review and implementation of user access controls, encryption controls, the use of multi-factor authentication, and change management policy. Furthermore, it was noted that the written information security program (WISP) lacked any mention of penetration testing or vulnerability scans. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: Department of Education Federal program title: Student Financial Aid Cluster Assistance Listing Number: 84.033, 84.063, 84.007, 84.379, 84.268 Federal Award Identification Number and Year: P033A223771 (CWS 22‐23), P063P220377 (Pell 22‐23), P007A223771 (SEOG 22‐23), P379T230377 (Teach 22‐23), P268K230377 (Direct Loan 2023) Award Period: July 1, 2022, through June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters) Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Condition: The University was not in compliance with GLBA. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and we identified that the organization does not meet the compliance requirements outlined in the GLBA Safeguards Rule. Specifically, discrepancies were identified in requirement B.3, pertaining to the implementation of periodic review and implementation of user access controls, encryption controls, the use of multi-factor authentication, and change management policy. Furthermore, it was noted that the written information security program (WISP) lacked any mention of penetration testing or vulnerability scans. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.