FAC Explorer

Audit 289452

FY End
2023-06-30
Total Expended
$20.34M
Findings
14
Programs
13
Organization: Spalding University (KY)
Year: 2023 Accepted: 2024-02-08
Auditor: Dean Dorton

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
366598 2023-001 Significant Deficiency - N
366599 2023-001 Significant Deficiency - N
366600 2023-001 Significant Deficiency - N
366601 2023-001 Significant Deficiency - N
366602 2023-001 Significant Deficiency - N
366603 2023-001 Significant Deficiency - N
366604 2023-001 Significant Deficiency - N
943040 2023-001 Significant Deficiency - N
943041 2023-001 Significant Deficiency - N
943042 2023-001 Significant Deficiency - N
943043 2023-001 Significant Deficiency - N
943044 2023-001 Significant Deficiency - N
943045 2023-001 Significant Deficiency - N
943046 2023-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $15.47M Yes 1
84.063 Federal Pell Grant Program $1.46M Yes 1
93.364 Nursing Student Loans $635,250 Yes 1
93.191 Graduate Psychology Education Program and Patient Navigator and Chronic Disease Prevention Program $323,639 - 0
93.925 Scholarships for Health Professions Students From Disadvantaged Backgrounds $262,800 Yes 1
93.732 Mental and Behavioral Health Education and Training Grants $232,171 - 0
84.038 Federal Perkins Loan Program $224,695 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $219,150 Yes 1
84.033 Federal Work-Study Program $121,686 Yes 1
93.243 Substance Abuse and Mental Health Services_projects of Regional and National Significance $77,188 - 0
84.425 Education Stabilization Fund $37,150 Yes 0
93.658 Foster Care_title IV-E $29,850 - 0
93.104 Comprehensive Community Mental Health Services for Children with Serious Emotional Disturbances (sed) $2,152 - 0

Contacts

Name Title Type
J3KPEDNN74R6 Ezra Krumhansl Auditee
8592805103 Simon Keemer Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principals contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the schedule represent adjustments or creditsmade in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: N/A The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Spalding University, Inc. (the University) under programs of the federal government for the year ended June 30, 2023. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the University, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the University.
Title: Summary of Significant Accounting Policies Accounting Policies: Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principals contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the schedule represent adjustments or creditsmade in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: N/A Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years.
Title: Indirect Cost Rate Accounting Policies: Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principals contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the schedule represent adjustments or creditsmade in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: N/A The University has not elected to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance.
Title: Federal Student Loan Programs Accounting Policies: Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principals contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the schedule represent adjustments or creditsmade in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: N/A The federal student loan programs listed subsequently are administrated directly by the University, and balances and transactions relating to these programs are included in the University's financial statements. Loans outstanding at the beginning of the year plus loans made during the year are included in the federal expenditures presented in the Schedule. The balance of loans outstanding at June 30, 2023 include the following: Assistance Listing Number Program Name Outstanding Balance at June 30, 2023 84.038 Federal Perkins Loan Program $ 107,178 93.364 Nursing Student Loan Program 506,480 $ 613,658 The University is responsible only for the performance of certain administrative duties with respect to the Federal Direct Loan Program and, accordingly, these loans are not included in the financial statements of the University. It is not practical to determine the balance of loans outstanding to students and former students of the University under this program as of June 30, 2023. The current expenditures under the Federal Direct Loan Programs of $15,470,201 are included in the accompanying schedule of expenditures of federal awards.

Finding Details

Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.
Finding 2023-001
Finding 2023-001 Federal Program: U.S. Department of Education - Student Financial Aid Cluster: Federal Pell Grant, 84.063 Federal Supplemental Education Opportunity Grant, 84.007 Federal Work Study Program, 84.033 Federal Perkins Loan Program, 84.038 Federal Direct Loan Program, 84.268 Nursing Student Loan Program, 93.364 Scholarships for Disadvantaged Students, 93.925 Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: During our audit procedures, we noted that a GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Recommendation: We recommend the following to ensure compliance with GLBA requirements: a. The University conduct an annual IT risk assessment that includes all components required by GLBA and periodically update the Information Security Program in response to identified risks. b. Ensure the status of the University's Information Security Program is reported, in writing, to the Board of Trustees at least annually and that the Qualified Individual signs off on this report. c. Update the policy library to ensure that the policies are appropriately documented to reduce the risk of GLBA noncompliance. Views of responsible officials and planned corrective actions: The University agrees that GLBA requirements are to be implemented and has taken steps to change the process. See corrective action plan.