2022-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in internal control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk. Statement of Condition: Management's review of the enrollment reporting did not detect errors on certain student data elements. Certain student records within the NSLDS were identified with inaccurate data elements. Questioned Costs: Questioned costs could not be determined. Context: Five students were identified with inaccurate data elements reported out of a total of 40 students tested. Cause: The Institute?s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk. Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute?s internal controls over compliance did not detect and correct the errors. Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting. Management?s Response: Management agrees with the finding. Through internal investigation, it was determined that the issue arose through National Student Clearinghouse (NSC), which reports the Institute?s data to NSLDS. Management will work with NSC to assure graduates are accurately reported as soon as possible within existing external systems. The changes to management?s enrollment reporting procedures will be added to the Institute?s NSC submissions procedure documentation.
2022-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal risk assessment was not completed and documented in fiscal 2022 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: The internal controls over compliance at the Institute did not identify that a risk assessment in compliance with the Gramm-Leach-Bliley Act was not completed and that the Institute did not comply with the compliance requirement. However, the Institute has safeguards for each area identified within 16 CFR 314.4 (b). Cause: The Institute did not have internal controls in place to identify the need for the risk assessment required by the Gramm-Leach-Bliley Act. Effect: The Institute has no verifiable evidence of the risk assessment performed and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to perform a risk assessment that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This risk assessment should be documented and we recommend that the Institute document the approval and acceptance of the risk assessment. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Management?s Response: Management agrees with the finding. The Institute will review 16 CFR 314.4 (b) and develop a written Information Security Plan (ISP) that outlines the procedures and practices to protect non-public personal information (NPI) and manage information security risks. The Institute will provide routinely scheduled training to all current and new employees on the importance of protecting NPI and the procedures they must follow to ensure that employees are up-to-date with the latest information security best practices. The Institute will continue to conduct regular risk assessments to identify potential security vulnerabilities, both internal and external, to evaluate the effectiveness of the ISP. The Institute will develop a plan to investigate and respond to security incidents that may compromise NPI. If an incident occurs the Institute will follow the ISP to remedy the incident, and revise the ISP as needed.
2022-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in internal control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk. Statement of Condition: Management's review of the enrollment reporting did not detect errors on certain student data elements. Certain student records within the NSLDS were identified with inaccurate data elements. Questioned Costs: Questioned costs could not be determined. Context: Five students were identified with inaccurate data elements reported out of a total of 40 students tested. Cause: The Institute?s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk. Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute?s internal controls over compliance did not detect and correct the errors. Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting. Management?s Response: Management agrees with the finding. Through internal investigation, it was determined that the issue arose through National Student Clearinghouse (NSC), which reports the Institute?s data to NSLDS. Management will work with NSC to assure graduates are accurately reported as soon as possible within existing external systems. The changes to management?s enrollment reporting procedures will be added to the Institute?s NSC submissions procedure documentation.
2022-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal risk assessment was not completed and documented in fiscal 2022 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: The internal controls over compliance at the Institute did not identify that a risk assessment in compliance with the Gramm-Leach-Bliley Act was not completed and that the Institute did not comply with the compliance requirement. However, the Institute has safeguards for each area identified within 16 CFR 314.4 (b). Cause: The Institute did not have internal controls in place to identify the need for the risk assessment required by the Gramm-Leach-Bliley Act. Effect: The Institute has no verifiable evidence of the risk assessment performed and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to perform a risk assessment that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This risk assessment should be documented and we recommend that the Institute document the approval and acceptance of the risk assessment. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Management?s Response: Management agrees with the finding. The Institute will review 16 CFR 314.4 (b) and develop a written Information Security Plan (ISP) that outlines the procedures and practices to protect non-public personal information (NPI) and manage information security risks. The Institute will provide routinely scheduled training to all current and new employees on the importance of protecting NPI and the procedures they must follow to ensure that employees are up-to-date with the latest information security best practices. The Institute will continue to conduct regular risk assessments to identify potential security vulnerabilities, both internal and external, to evaluate the effectiveness of the ISP. The Institute will develop a plan to investigate and respond to security incidents that may compromise NPI. If an incident occurs the Institute will follow the ISP to remedy the incident, and revise the ISP as needed.
2022-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in internal control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk. Statement of Condition: Management's review of the enrollment reporting did not detect errors on certain student data elements. Certain student records within the NSLDS were identified with inaccurate data elements. Questioned Costs: Questioned costs could not be determined. Context: Five students were identified with inaccurate data elements reported out of a total of 40 students tested. Cause: The Institute?s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk. Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute?s internal controls over compliance did not detect and correct the errors. Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting. Management?s Response: Management agrees with the finding. Through internal investigation, it was determined that the issue arose through National Student Clearinghouse (NSC), which reports the Institute?s data to NSLDS. Management will work with NSC to assure graduates are accurately reported as soon as possible within existing external systems. The changes to management?s enrollment reporting procedures will be added to the Institute?s NSC submissions procedure documentation.
2022-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal risk assessment was not completed and documented in fiscal 2022 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: The internal controls over compliance at the Institute did not identify that a risk assessment in compliance with the Gramm-Leach-Bliley Act was not completed and that the Institute did not comply with the compliance requirement. However, the Institute has safeguards for each area identified within 16 CFR 314.4 (b). Cause: The Institute did not have internal controls in place to identify the need for the risk assessment required by the Gramm-Leach-Bliley Act. Effect: The Institute has no verifiable evidence of the risk assessment performed and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to perform a risk assessment that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This risk assessment should be documented and we recommend that the Institute document the approval and acceptance of the risk assessment. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Management?s Response: Management agrees with the finding. The Institute will review 16 CFR 314.4 (b) and develop a written Information Security Plan (ISP) that outlines the procedures and practices to protect non-public personal information (NPI) and manage information security risks. The Institute will provide routinely scheduled training to all current and new employees on the importance of protecting NPI and the procedures they must follow to ensure that employees are up-to-date with the latest information security best practices. The Institute will continue to conduct regular risk assessments to identify potential security vulnerabilities, both internal and external, to evaluate the effectiveness of the ISP. The Institute will develop a plan to investigate and respond to security incidents that may compromise NPI. If an incident occurs the Institute will follow the ISP to remedy the incident, and revise the ISP as needed.
2022-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in internal control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk. Statement of Condition: Management's review of the enrollment reporting did not detect errors on certain student data elements. Certain student records within the NSLDS were identified with inaccurate data elements. Questioned Costs: Questioned costs could not be determined. Context: Five students were identified with inaccurate data elements reported out of a total of 40 students tested. Cause: The Institute?s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk. Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute?s internal controls over compliance did not detect and correct the errors. Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting. Management?s Response: Management agrees with the finding. Through internal investigation, it was determined that the issue arose through National Student Clearinghouse (NSC), which reports the Institute?s data to NSLDS. Management will work with NSC to assure graduates are accurately reported as soon as possible within existing external systems. The changes to management?s enrollment reporting procedures will be added to the Institute?s NSC submissions procedure documentation.
2022-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal risk assessment was not completed and documented in fiscal 2022 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: The internal controls over compliance at the Institute did not identify that a risk assessment in compliance with the Gramm-Leach-Bliley Act was not completed and that the Institute did not comply with the compliance requirement. However, the Institute has safeguards for each area identified within 16 CFR 314.4 (b). Cause: The Institute did not have internal controls in place to identify the need for the risk assessment required by the Gramm-Leach-Bliley Act. Effect: The Institute has no verifiable evidence of the risk assessment performed and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to perform a risk assessment that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This risk assessment should be documented and we recommend that the Institute document the approval and acceptance of the risk assessment. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Management?s Response: Management agrees with the finding. The Institute will review 16 CFR 314.4 (b) and develop a written Information Security Plan (ISP) that outlines the procedures and practices to protect non-public personal information (NPI) and manage information security risks. The Institute will provide routinely scheduled training to all current and new employees on the importance of protecting NPI and the procedures they must follow to ensure that employees are up-to-date with the latest information security best practices. The Institute will continue to conduct regular risk assessments to identify potential security vulnerabilities, both internal and external, to evaluate the effectiveness of the ISP. The Institute will develop a plan to investigate and respond to security incidents that may compromise NPI. If an incident occurs the Institute will follow the ISP to remedy the incident, and revise the ISP as needed.
2022-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in internal control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk. Statement of Condition: Management's review of the enrollment reporting did not detect errors on certain student data elements. Certain student records within the NSLDS were identified with inaccurate data elements. Questioned Costs: Questioned costs could not be determined. Context: Five students were identified with inaccurate data elements reported out of a total of 40 students tested. Cause: The Institute?s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk. Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute?s internal controls over compliance did not detect and correct the errors. Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting. Management?s Response: Management agrees with the finding. Through internal investigation, it was determined that the issue arose through National Student Clearinghouse (NSC), which reports the Institute?s data to NSLDS. Management will work with NSC to assure graduates are accurately reported as soon as possible within existing external systems. The changes to management?s enrollment reporting procedures will be added to the Institute?s NSC submissions procedure documentation.
2022-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal risk assessment was not completed and documented in fiscal 2022 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: The internal controls over compliance at the Institute did not identify that a risk assessment in compliance with the Gramm-Leach-Bliley Act was not completed and that the Institute did not comply with the compliance requirement. However, the Institute has safeguards for each area identified within 16 CFR 314.4 (b). Cause: The Institute did not have internal controls in place to identify the need for the risk assessment required by the Gramm-Leach-Bliley Act. Effect: The Institute has no verifiable evidence of the risk assessment performed and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to perform a risk assessment that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This risk assessment should be documented and we recommend that the Institute document the approval and acceptance of the risk assessment. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Management?s Response: Management agrees with the finding. The Institute will review 16 CFR 314.4 (b) and develop a written Information Security Plan (ISP) that outlines the procedures and practices to protect non-public personal information (NPI) and manage information security risks. The Institute will provide routinely scheduled training to all current and new employees on the importance of protecting NPI and the procedures they must follow to ensure that employees are up-to-date with the latest information security best practices. The Institute will continue to conduct regular risk assessments to identify potential security vulnerabilities, both internal and external, to evaluate the effectiveness of the ISP. The Institute will develop a plan to investigate and respond to security incidents that may compromise NPI. If an incident occurs the Institute will follow the ISP to remedy the incident, and revise the ISP as needed.
2022-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in internal control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk. Statement of Condition: Management's review of the enrollment reporting did not detect errors on certain student data elements. Certain student records within the NSLDS were identified with inaccurate data elements. Questioned Costs: Questioned costs could not be determined. Context: Five students were identified with inaccurate data elements reported out of a total of 40 students tested. Cause: The Institute?s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk. Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute?s internal controls over compliance did not detect and correct the errors. Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting. Management?s Response: Management agrees with the finding. Through internal investigation, it was determined that the issue arose through National Student Clearinghouse (NSC), which reports the Institute?s data to NSLDS. Management will work with NSC to assure graduates are accurately reported as soon as possible within existing external systems. The changes to management?s enrollment reporting procedures will be added to the Institute?s NSC submissions procedure documentation.
2022-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal risk assessment was not completed and documented in fiscal 2022 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: The internal controls over compliance at the Institute did not identify that a risk assessment in compliance with the Gramm-Leach-Bliley Act was not completed and that the Institute did not comply with the compliance requirement. However, the Institute has safeguards for each area identified within 16 CFR 314.4 (b). Cause: The Institute did not have internal controls in place to identify the need for the risk assessment required by the Gramm-Leach-Bliley Act. Effect: The Institute has no verifiable evidence of the risk assessment performed and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to perform a risk assessment that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This risk assessment should be documented and we recommend that the Institute document the approval and acceptance of the risk assessment. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Management?s Response: Management agrees with the finding. The Institute will review 16 CFR 314.4 (b) and develop a written Information Security Plan (ISP) that outlines the procedures and practices to protect non-public personal information (NPI) and manage information security risks. The Institute will provide routinely scheduled training to all current and new employees on the importance of protecting NPI and the procedures they must follow to ensure that employees are up-to-date with the latest information security best practices. The Institute will continue to conduct regular risk assessments to identify potential security vulnerabilities, both internal and external, to evaluate the effectiveness of the ISP. The Institute will develop a plan to investigate and respond to security incidents that may compromise NPI. If an incident occurs the Institute will follow the ISP to remedy the incident, and revise the ISP as needed.
2022-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in internal control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk. Statement of Condition: Management's review of the enrollment reporting did not detect errors on certain student data elements. Certain student records within the NSLDS were identified with inaccurate data elements. Questioned Costs: Questioned costs could not be determined. Context: Five students were identified with inaccurate data elements reported out of a total of 40 students tested. Cause: The Institute?s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk. Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute?s internal controls over compliance did not detect and correct the errors. Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting. Management?s Response: Management agrees with the finding. Through internal investigation, it was determined that the issue arose through National Student Clearinghouse (NSC), which reports the Institute?s data to NSLDS. Management will work with NSC to assure graduates are accurately reported as soon as possible within existing external systems. The changes to management?s enrollment reporting procedures will be added to the Institute?s NSC submissions procedure documentation.
2022-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal risk assessment was not completed and documented in fiscal 2022 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: The internal controls over compliance at the Institute did not identify that a risk assessment in compliance with the Gramm-Leach-Bliley Act was not completed and that the Institute did not comply with the compliance requirement. However, the Institute has safeguards for each area identified within 16 CFR 314.4 (b). Cause: The Institute did not have internal controls in place to identify the need for the risk assessment required by the Gramm-Leach-Bliley Act. Effect: The Institute has no verifiable evidence of the risk assessment performed and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to perform a risk assessment that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This risk assessment should be documented and we recommend that the Institute document the approval and acceptance of the risk assessment. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Management?s Response: Management agrees with the finding. The Institute will review 16 CFR 314.4 (b) and develop a written Information Security Plan (ISP) that outlines the procedures and practices to protect non-public personal information (NPI) and manage information security risks. The Institute will provide routinely scheduled training to all current and new employees on the importance of protecting NPI and the procedures they must follow to ensure that employees are up-to-date with the latest information security best practices. The Institute will continue to conduct regular risk assessments to identify potential security vulnerabilities, both internal and external, to evaluate the effectiveness of the ISP. The Institute will develop a plan to investigate and respond to security incidents that may compromise NPI. If an incident occurs the Institute will follow the ISP to remedy the incident, and revise the ISP as needed.
2022-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in internal control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk. Statement of Condition: Management's review of the enrollment reporting did not detect errors on certain student data elements. Certain student records within the NSLDS were identified with inaccurate data elements. Questioned Costs: Questioned costs could not be determined. Context: Five students were identified with inaccurate data elements reported out of a total of 40 students tested. Cause: The Institute?s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk. Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute?s internal controls over compliance did not detect and correct the errors. Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting. Management?s Response: Management agrees with the finding. Through internal investigation, it was determined that the issue arose through National Student Clearinghouse (NSC), which reports the Institute?s data to NSLDS. Management will work with NSC to assure graduates are accurately reported as soon as possible within existing external systems. The changes to management?s enrollment reporting procedures will be added to the Institute?s NSC submissions procedure documentation.
2022-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal risk assessment was not completed and documented in fiscal 2022 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: The internal controls over compliance at the Institute did not identify that a risk assessment in compliance with the Gramm-Leach-Bliley Act was not completed and that the Institute did not comply with the compliance requirement. However, the Institute has safeguards for each area identified within 16 CFR 314.4 (b). Cause: The Institute did not have internal controls in place to identify the need for the risk assessment required by the Gramm-Leach-Bliley Act. Effect: The Institute has no verifiable evidence of the risk assessment performed and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to perform a risk assessment that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This risk assessment should be documented and we recommend that the Institute document the approval and acceptance of the risk assessment. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Management?s Response: Management agrees with the finding. The Institute will review 16 CFR 314.4 (b) and develop a written Information Security Plan (ISP) that outlines the procedures and practices to protect non-public personal information (NPI) and manage information security risks. The Institute will provide routinely scheduled training to all current and new employees on the importance of protecting NPI and the procedures they must follow to ensure that employees are up-to-date with the latest information security best practices. The Institute will continue to conduct regular risk assessments to identify potential security vulnerabilities, both internal and external, to evaluate the effectiveness of the ISP. The Institute will develop a plan to investigate and respond to security incidents that may compromise NPI. If an incident occurs the Institute will follow the ISP to remedy the incident, and revise the ISP as needed.