FAC Explorer

Audit 289733

FY End
2023-06-30
Total Expended
$230.34M
Findings
42
Programs
34
Organization: Los Angeles Community College District (CA)
Year: 2023 Accepted: 2024-02-09
Auditor: Vasquez & Company LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
366727 2023-001 - Yes E
366728 2023-002 Significant Deficiency - N
366729 2023-002 Significant Deficiency - N
366730 2023-002 Significant Deficiency - N
366731 2023-002 Significant Deficiency - N
366732 2023-002 Significant Deficiency - N
366733 2023-002 Significant Deficiency - N
366734 2023-003 - Yes N
366735 2023-003 - Yes N
366736 2023-003 - - N
366737 2023-003 - - N
366738 2023-003 - Yes N
366739 2023-003 - - N
366740 2023-004 - - N
366741 2023-004 - - N
366742 2023-004 - - N
366743 2023-004 - - N
366744 2023-005 - - L
366745 2023-005 - - L
366746 2023-005 - - L
366747 2023-006 - - L
943169 2023-001 - Yes E
943170 2023-002 Significant Deficiency - N
943171 2023-002 Significant Deficiency - N
943172 2023-002 Significant Deficiency - N
943173 2023-002 Significant Deficiency - N
943174 2023-002 Significant Deficiency - N
943175 2023-002 Significant Deficiency - N
943176 2023-003 - Yes N
943177 2023-003 - Yes N
943178 2023-003 - - N
943179 2023-003 - - N
943180 2023-003 - Yes N
943181 2023-003 - - N
943182 2023-004 - - N
943183 2023-004 - - N
943184 2023-004 - - N
943185 2023-004 - - N
943186 2023-005 - - L
943187 2023-005 - - L
943188 2023-005 - - L
943189 2023-006 - - L

Programs

ALN Program Spent Major Findings
84.063 Federal Pell Grant Program $126.71M Yes 4
84.268 Federal Direct Student Loans $16.51M Yes 2
84.048 Career and Technical Education -- Basic Grants to States $5.23M - 2
84.031 Higher Education_institutional Aid $5.07M - 0
84.007 Federal Supplemental Educational Opportunity Grants $4.43M Yes 3
17.268 H-1b Job Training Grants $4.11M Yes 1
84.002 Adult Education - Basic Grants to States $3.29M - 0
84.047 Trio_upward Bound $2.54M - 0
84.033 Federal Work-Study Program $2.12M Yes 3
84.042 Trio_student Support Services $2.02M - 0
47.076 Education and Human Resources $1.53M - 0
93.575 Child Care and Development Block Grant $1.04M Yes 0
93.558 Temporary Assistance for Needy Families $968,316 Yes 0
93.596 Child Care Mandatory and Matching Funds of the Child Care and Development Fund $926,696 Yes 0
84.425 Education Stabilization Fund $917,445 Yes 0
84.044 Trio_talent Search $828,866 - 0
84.116 Fund for the Improvement of Postsecondary Education $751,361 - 0
93.658 Foster Care – Title IV-E $415,268 - 0
10.558 Child and Adult Care Food Program $377,562 - 0
84.066 Trio_educational Opportunity Centers $283,461 - 0
94.006 Americorps $218,918 - 0
93.600 Foster Care – Title IV-E $208,217 - 0
84.126 Rehabilitation Services_vocational Rehabilitation Grants to States $201,605 - 0
84.335 Child Care Access Means Parents in School $189,021 - 0
17.258 Wia Adult Program $153,532 - 0
84.334 Gaining Early Awareness and Readiness for Undergraduate Programs $136,959 - 0
17.261 Wia Pilots, Demonstrations, and Research Projects $117,009 - 0
17.207 Employment Service/wagner-Peyser Funded Activities $113,700 - 0
10.561 State Administrative Matching Grants for the Supplemental Nutrition Assistance Program $113,538 - 0
84.038 Federal Perkins Loan Program $69,348 Yes 3
43.008 Education $42,957 - 0
47.050 Geosciences $35,011 - 0
84.220 Centers for International Business Education $1,000 - 0
17.278 Wia Dislocated Worker Formula Grants $336 - 0

Contacts

Name Title Type
Y9SWL6BWDM85 Jeanette Gordon Auditee
2138912190 Elisa Stilwell Auditor
No contacts on file

Notes to SEFA

Title: Federal Student Loan Programs Accounting Policies: Basis of Presentation The District’s reporting entity is defined in the basic financial statements. (i) SEFA The information in the SEFA is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). The SEFA presents only a selected portion of the operations of the District. It is not intended to and does not represent the financial position, changes in net position, or cash flows of the District. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. Expenditures on the SEFA are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. The District utilizes a negotiated indirect cost rate for salary and wages of 40% which will expire on June 30, 2023. The federal student loan programs listed below are administered directly by the District, and balances and transactions relating to these programs are included in the District’s basic financial statements. Loans outstanding at the beginning of the year and loans made during the year and administrative cost allowances are included in the federal expenditures presented in the SEFA. Loan advances made to students for the year ended June 30, 2023 and loans outstanding held by the District as of June 30, 2023 are as follows:
Title: Administrative Cost Allowances Accounting Policies: Basis of Presentation The District’s reporting entity is defined in the basic financial statements. (i) SEFA The information in the SEFA is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). The SEFA presents only a selected portion of the operations of the District. It is not intended to and does not represent the financial position, changes in net position, or cash flows of the District. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. Expenditures on the SEFA are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. The District utilizes a negotiated indirect cost rate for salary and wages of 40% which will expire on June 30, 2023. Administrative cost allowances included in the accompanying SEFA are summarized as follows:
Title: Federal Clusters of Programs Accounting Policies: Basis of Presentation The District’s reporting entity is defined in the basic financial statements. (i) SEFA The information in the SEFA is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). The SEFA presents only a selected portion of the operations of the District. It is not intended to and does not represent the financial position, changes in net position, or cash flows of the District. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. Expenditures on the SEFA are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. The District utilizes a negotiated indirect cost rate for salary and wages of 40% which will expire on June 30, 2023. he following table summarizes the expenditures of federal program clusters included in the SEFA:

Finding Details

Finding 2023-001
Finding FA 2023-001: Eligibility: Incorrect Federal Pell Grant Amounts Awarded (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.063 Federal Program Name: Student Financial Assistance Cluster. Federal Pell Grant Program Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P063P200033 (Steve to Confirm) Federal Award Year: July 1, 2022, to June 30, 2023 Campus: West Los Angeles College Compliance Requirement: Eligibility Criteria or Specific Requirement: Per 34 Code of Federal Regulations (CFR) 690.62 Calculation of a Federal Pell Grant, the amount of a student’s Pell Grant for an academic year is based upon the payment and disbursement schedules published by the Secretary for each award year. The Uniform Guidance Compliance Supplement states that the Department of Education provides institutions with Payment and Disbursement Schedules for determining Pell awards each year. The Payment or Disbursement Schedule provides the maximum annual amount a student would receive for a full academic year for a given enrollment status, Expected Family Contribution (EFC), and Cost of Attendance (COA). The Payment Schedule is used to determine the annual award for full-time, three-quarter-time, half-time, and less-than-half-time students. 2 CFR section 200.303 requires that non-Federal entities receiving Federal awards establish and maintain internal control over the Federal awards that provide reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards. Identified Condition: Of the twenty (20) students selected for eligibility test work at West Los Angeles College, we noted the following: • 1 student had an incorrectly calculated Federal Pell Grant award, which resulted in an understatement of the disbursement to the student by $773. The student was eligible to receive $1,273 yet received $500 in Winter 2023. Cause and Effect: The institution has reviewed the student’s award and determined that the student was inadvertently disbursed $500 instead of $1,273 which is considered to be an underpayment. Once identified by the auditors, the award has since been corrected and refunded to the student. The Central Financial Aid Systems Unit and the District’s Student Information System (SIS) Information Technology department have reviewed both system controls and manual intervention, but the cause remains undetermined. Questioned Costs: See schedule of findings and questioned costs The District has a known net understatement of Pell Grant award disbursements of ($773). The projected total net understatement of the Pell Grant award disbursements is $186,345 as follows: See schedule of findings and questioned costs This is computed by dividing the error found in the samples per term (Fall/Winter term – net underpayment ($773) and Spring/Summer terms – $0) over the total Pell awards disbursed in the sample size per term (Winter term – $64,577, and Spring/Summer terms – $81,046) multiplied by the total Pell awards disbursed for the identified colleges per term (Fall/Winter term – $15,567,394 and Spring/Summer terms – $14,958,472). The computation is made on a per-term basis on a campus level and not on a district-wide level. Recommendation: We recommend that the District make the necessary system modifications to the PeopleSoft SIS to ensure student awards are properly calculated. This will help ensure that Federal Pell grants are properly awarded to students who meet the eligibility requirements. Views of Responsible Officials and Planned Corrective Actions: The District believes this error was an isolated incident and the effect is minimal as we performed an extensive review of all nine campuses’ Pell grant award disbursements for the term and found that this was the only similar award. The District will monitor disbursements and will perform reconciliation on a monthly basis. Personnel Responsible for Implementation: FA Office and the Central Financial Aid Unit. Position of Responsible Personnel: FA Managers Expected Date of Implementation: Already Implemented
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-004
Finding FA 2023-004: Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device – Failure to Submit URL to the Secretary of Education for Publication in a Centralized Database Accessible to the Public Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.063, and 93.364 Federal Program Name: Student Financial Assistance Cluster: Federal Supplement Educational Opportunity Grants (FSEOG) Federal Work-Study Program (FWS) Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Nursing Student Loans (NSL) Federal Agency: U.S. Department of Education (ED) Passed Through Entity: N/A Federal Award Number: FSEOG P007A210450, P007A210365, P007A210451, P007A210452, P007A210453, P007A210455, P007A210456, P007A210457, P007A210676 FWS P033A210450, P033A210365, P033A210451, P033A210452, P033A210453, P033A210455, P033A210456, P033A210457, P033A210676 Pell P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262 NSL P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Community College District Compliance Requirement: Special Tests and Provisions: Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device Criteria or Specific Requirements: Per 34 Code of Federal Regulations 668.164 Disbursing Funds: In Tier One (T1) arrangement, an institution located in a State has a contract with a third-party servicer under which the servicer performs one or more of the functions associated with processing direct payments of Title IV, HEA program funds on behalf of the institution. The institution or third-party servicer makes payments to one or more financial accounts that are offered to students under the contract; a financial account where information about the account is communicated directly to students by the third-party servicer, or the institution on behalf of or in conjunction with the third-party servicer; or a financial account where information about the account is communicated directly to students by an entity contracting with or affiliated with the third-party servicer. Institutions with a T1 arrangement should ensure that no later than September 1, 2017, and then no later than 60 days following the most recently completed award year thereafter, disclose conspicuously on the institution’s Website and in a format established by the Secretary of Education the total consideration for the most recently completed award year, monetary and non-monetary, paid or received by the parties under the terms of the contract; and for any year in which the institution’s enrolled students open 30 or more financial accounts under the T1 arrangement, the number of students who had financial accounts under the contract at any time during the most recently completed award year, and the mean and median of the actual costs incurred by those account holders. The institution should also provide the Secretary with an up-to-date Uniform Resource Locator (URL) for the contract and contract data as described above for publication in a centralized database accessible to the public. Identified Condition: We noted that the District’s URL link to the contract with BMTX, Inc. (BankMobile) and other required information was not included in the latest Cash Management Contracts Database published by ED on March 2022 as the District was unable to provide the URL link to ED for the award year ended June 30, 2023. Cause and Effect: Due to a miscommunication between the District staff and Bankmobile staff, the website link was not submitted to the Department of Education, although the report was published and available to the public. Questioned Costs: None. Recommendation: We recommend that the District review its roles and responsibilities with Bankmobile and implement control procedures to ensure that the District remains compliant with the requirements of Uniform Guidance and the Code of Federal Regulation. Views of Responsible Officials and Planned Corrective Actions: The District has taken responsibility for providing the Department of Education with the website link and will provide that going forward. Personnel Responsible for Implementation: Nyame-Tease Prempeh Position of Responsible Personnel: Assistant Director of Accounting Expected Date of Implementation: November 1, 2023
Finding 2023-004
Finding FA 2023-004: Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device – Failure to Submit URL to the Secretary of Education for Publication in a Centralized Database Accessible to the Public Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.063, and 93.364 Federal Program Name: Student Financial Assistance Cluster: Federal Supplement Educational Opportunity Grants (FSEOG) Federal Work-Study Program (FWS) Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Nursing Student Loans (NSL) Federal Agency: U.S. Department of Education (ED) Passed Through Entity: N/A Federal Award Number: FSEOG P007A210450, P007A210365, P007A210451, P007A210452, P007A210453, P007A210455, P007A210456, P007A210457, P007A210676 FWS P033A210450, P033A210365, P033A210451, P033A210452, P033A210453, P033A210455, P033A210456, P033A210457, P033A210676 Pell P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262 NSL P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Community College District Compliance Requirement: Special Tests and Provisions: Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device Criteria or Specific Requirements: Per 34 Code of Federal Regulations 668.164 Disbursing Funds: In Tier One (T1) arrangement, an institution located in a State has a contract with a third-party servicer under which the servicer performs one or more of the functions associated with processing direct payments of Title IV, HEA program funds on behalf of the institution. The institution or third-party servicer makes payments to one or more financial accounts that are offered to students under the contract; a financial account where information about the account is communicated directly to students by the third-party servicer, or the institution on behalf of or in conjunction with the third-party servicer; or a financial account where information about the account is communicated directly to students by an entity contracting with or affiliated with the third-party servicer. Institutions with a T1 arrangement should ensure that no later than September 1, 2017, and then no later than 60 days following the most recently completed award year thereafter, disclose conspicuously on the institution’s Website and in a format established by the Secretary of Education the total consideration for the most recently completed award year, monetary and non-monetary, paid or received by the parties under the terms of the contract; and for any year in which the institution’s enrolled students open 30 or more financial accounts under the T1 arrangement, the number of students who had financial accounts under the contract at any time during the most recently completed award year, and the mean and median of the actual costs incurred by those account holders. The institution should also provide the Secretary with an up-to-date Uniform Resource Locator (URL) for the contract and contract data as described above for publication in a centralized database accessible to the public. Identified Condition: We noted that the District’s URL link to the contract with BMTX, Inc. (BankMobile) and other required information was not included in the latest Cash Management Contracts Database published by ED on March 2022 as the District was unable to provide the URL link to ED for the award year ended June 30, 2023. Cause and Effect: Due to a miscommunication between the District staff and Bankmobile staff, the website link was not submitted to the Department of Education, although the report was published and available to the public. Questioned Costs: None. Recommendation: We recommend that the District review its roles and responsibilities with Bankmobile and implement control procedures to ensure that the District remains compliant with the requirements of Uniform Guidance and the Code of Federal Regulation. Views of Responsible Officials and Planned Corrective Actions: The District has taken responsibility for providing the Department of Education with the website link and will provide that going forward. Personnel Responsible for Implementation: Nyame-Tease Prempeh Position of Responsible Personnel: Assistant Director of Accounting Expected Date of Implementation: November 1, 2023
Finding 2023-004
Finding FA 2023-004: Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device – Failure to Submit URL to the Secretary of Education for Publication in a Centralized Database Accessible to the Public Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.063, and 93.364 Federal Program Name: Student Financial Assistance Cluster: Federal Supplement Educational Opportunity Grants (FSEOG) Federal Work-Study Program (FWS) Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Nursing Student Loans (NSL) Federal Agency: U.S. Department of Education (ED) Passed Through Entity: N/A Federal Award Number: FSEOG P007A210450, P007A210365, P007A210451, P007A210452, P007A210453, P007A210455, P007A210456, P007A210457, P007A210676 FWS P033A210450, P033A210365, P033A210451, P033A210452, P033A210453, P033A210455, P033A210456, P033A210457, P033A210676 Pell P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262 NSL P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Community College District Compliance Requirement: Special Tests and Provisions: Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device Criteria or Specific Requirements: Per 34 Code of Federal Regulations 668.164 Disbursing Funds: In Tier One (T1) arrangement, an institution located in a State has a contract with a third-party servicer under which the servicer performs one or more of the functions associated with processing direct payments of Title IV, HEA program funds on behalf of the institution. The institution or third-party servicer makes payments to one or more financial accounts that are offered to students under the contract; a financial account where information about the account is communicated directly to students by the third-party servicer, or the institution on behalf of or in conjunction with the third-party servicer; or a financial account where information about the account is communicated directly to students by an entity contracting with or affiliated with the third-party servicer. Institutions with a T1 arrangement should ensure that no later than September 1, 2017, and then no later than 60 days following the most recently completed award year thereafter, disclose conspicuously on the institution’s Website and in a format established by the Secretary of Education the total consideration for the most recently completed award year, monetary and non-monetary, paid or received by the parties under the terms of the contract; and for any year in which the institution’s enrolled students open 30 or more financial accounts under the T1 arrangement, the number of students who had financial accounts under the contract at any time during the most recently completed award year, and the mean and median of the actual costs incurred by those account holders. The institution should also provide the Secretary with an up-to-date Uniform Resource Locator (URL) for the contract and contract data as described above for publication in a centralized database accessible to the public. Identified Condition: We noted that the District’s URL link to the contract with BMTX, Inc. (BankMobile) and other required information was not included in the latest Cash Management Contracts Database published by ED on March 2022 as the District was unable to provide the URL link to ED for the award year ended June 30, 2023. Cause and Effect: Due to a miscommunication between the District staff and Bankmobile staff, the website link was not submitted to the Department of Education, although the report was published and available to the public. Questioned Costs: None. Recommendation: We recommend that the District review its roles and responsibilities with Bankmobile and implement control procedures to ensure that the District remains compliant with the requirements of Uniform Guidance and the Code of Federal Regulation. Views of Responsible Officials and Planned Corrective Actions: The District has taken responsibility for providing the Department of Education with the website link and will provide that going forward. Personnel Responsible for Implementation: Nyame-Tease Prempeh Position of Responsible Personnel: Assistant Director of Accounting Expected Date of Implementation: November 1, 2023
Finding 2023-004
Finding FA 2023-004: Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device – Failure to Submit URL to the Secretary of Education for Publication in a Centralized Database Accessible to the Public Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.063, and 93.364 Federal Program Name: Student Financial Assistance Cluster: Federal Supplement Educational Opportunity Grants (FSEOG) Federal Work-Study Program (FWS) Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Nursing Student Loans (NSL) Federal Agency: U.S. Department of Education (ED) Passed Through Entity: N/A Federal Award Number: FSEOG P007A210450, P007A210365, P007A210451, P007A210452, P007A210453, P007A210455, P007A210456, P007A210457, P007A210676 FWS P033A210450, P033A210365, P033A210451, P033A210452, P033A210453, P033A210455, P033A210456, P033A210457, P033A210676 Pell P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262 NSL P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Community College District Compliance Requirement: Special Tests and Provisions: Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device Criteria or Specific Requirements: Per 34 Code of Federal Regulations 668.164 Disbursing Funds: In Tier One (T1) arrangement, an institution located in a State has a contract with a third-party servicer under which the servicer performs one or more of the functions associated with processing direct payments of Title IV, HEA program funds on behalf of the institution. The institution or third-party servicer makes payments to one or more financial accounts that are offered to students under the contract; a financial account where information about the account is communicated directly to students by the third-party servicer, or the institution on behalf of or in conjunction with the third-party servicer; or a financial account where information about the account is communicated directly to students by an entity contracting with or affiliated with the third-party servicer. Institutions with a T1 arrangement should ensure that no later than September 1, 2017, and then no later than 60 days following the most recently completed award year thereafter, disclose conspicuously on the institution’s Website and in a format established by the Secretary of Education the total consideration for the most recently completed award year, monetary and non-monetary, paid or received by the parties under the terms of the contract; and for any year in which the institution’s enrolled students open 30 or more financial accounts under the T1 arrangement, the number of students who had financial accounts under the contract at any time during the most recently completed award year, and the mean and median of the actual costs incurred by those account holders. The institution should also provide the Secretary with an up-to-date Uniform Resource Locator (URL) for the contract and contract data as described above for publication in a centralized database accessible to the public. Identified Condition: We noted that the District’s URL link to the contract with BMTX, Inc. (BankMobile) and other required information was not included in the latest Cash Management Contracts Database published by ED on March 2022 as the District was unable to provide the URL link to ED for the award year ended June 30, 2023. Cause and Effect: Due to a miscommunication between the District staff and Bankmobile staff, the website link was not submitted to the Department of Education, although the report was published and available to the public. Questioned Costs: None. Recommendation: We recommend that the District review its roles and responsibilities with Bankmobile and implement control procedures to ensure that the District remains compliant with the requirements of Uniform Guidance and the Code of Federal Regulation. Views of Responsible Officials and Planned Corrective Actions: The District has taken responsibility for providing the Department of Education with the website link and will provide that going forward. Personnel Responsible for Implementation: Nyame-Tease Prempeh Position of Responsible Personnel: Assistant Director of Accounting Expected Date of Implementation: November 1, 2023
Finding 2023-005
Finding FA 2023-005: Reporting – Untimely and Incomplete Posting of Quarterly Reports to the College’s Website and Inaccurate Reported Expenditures Captured in the Published Website’s Quarterly Reports. Federal Catalog Number: ALN 84.425E, 84.425F, and 84.425L Federal Program Name: Higher Education Emergency Relief Fund Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P425E200844, P425F202148, P425L200439, P425E204139, P425F203076, P425L200440 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Pierce College Los Angeles Trade Technical College Compliance Requirement: Reporting Criteria or Specific Requirements: Per U.S. Department of Education Notice of Public Posting Requirement of Grant Information for Higher Education Emergency Relief Fund (HEERF) Grantees: The Certification and Agreements for the Coronavirus Response and Relief Supplemental Appropriations Act of 2021 (CRRSAA) and American Rescue Plan (ARP) (a)(1) and (a)(4) funds provide that each institution applying for HEERF funds must promptly and timely provide a detailed accounting of the use and expenditure of the funds in such manner and with such frequency as the Secretary may require. Each HEERF participating institution must post the information listed below on the institution’s primary website, as an initial report under the CRRSAA and ARP (a)(1) and (a)(4) programs. This report is associated with the approved information collection under OMB control number 1801–0005. This information must appear in a format and location that is easily accessible to the public. This information must also be updated no later than 10 days after the end of each calendar quarter (September 30, December 31, March 31, and June 30) thereafter, unless the Secretary specifies an alternative method of reporting. Identified Condition: A. Untimely Posting of Quarterly Reports on the College’s Website We noted that Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and March 31, 2023, were not publicly posted on the college’s primary website. B. Incomplete Posting of Published Links Related to the Quarterly Report on the College’s Website We noted that Los Angeles Trade Technical College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending June 30, 2023, was not completely posted on the college’s primary website. The link to the quarterly report ending June 30, 2023, was published on time, but the link incorrectly redirects to the March 31, 2023, quarterly report. C. Inaccuracy of Quarterly Expenditures Reported on the College’s Website We noted that the expenditures reported in Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and June 30, 2023, were inaccurate. • For the quarter ending December 31, 2022, the expenditures were overstated by $284,593 due to the inclusion of the expenditures already reported from the previous quarter ending September 30, 2022. Per inquiry, the preparer inadvertently reported the expenditures on a cumulative basis. • For the quarter ending June 30, 2023, the expenditures were erroneously reported at zero amounts which resulted in an understatement by the actual expenditures incurred amounting to $2,007,950. Cause and Effect: Los Angeles Trade Technical College The reports were posted to the website on time. However, due to a clerical error, the link for the June 30, 2023, report directed users to the March 31, 2023, report. The effect was that, although the correct file existed on the server, there was no link for users to access it. This has been corrected. Los Angeles Pierce College The college experienced a break in the coordination of the report review which resulted in an error on the published report. There was also a misunderstanding about accumulating data from prior reported periods. Questioned Costs: None. Recommendation: We recommend that the campuses review their approval process prior to posting the reports online by having formal preparer and approver signoffs to ensure that the supporting documents correctly match the reports posted online. Additionally, we recommend the campuses enhance coordination between the report approver and the website manager to ensure that the reports are properly linked in the backend of the website and are timely posted if already prepared. Views of Responsible Officials and Planned Corrective Actions: Los Angeles Trade Technical College The cause of the incorrect link was a clerical error, and the error has since been corrected, the condition no longer exists and is resolved. Personnel Responsible for Implementation: LATTC – Charalambos Ziogas/Daniel Friedman Position of Responsible Personnel: VPAS/CFA Expected Date of Implementation: October 16, 2023 Los Angeles Pierce College The college will work with District staff to update the process of reviewing, approving, and publishing or providing the reports to appropriate websites and agencies. Personnel Responsible for Implementation: Ron Paquette Position of Responsible Personnel: Associate Vice President, Admin Services Expected Date of Implementation: November 1, 2023
Finding 2023-005
Finding FA 2023-005: Reporting – Untimely and Incomplete Posting of Quarterly Reports to the College’s Website and Inaccurate Reported Expenditures Captured in the Published Website’s Quarterly Reports. Federal Catalog Number: ALN 84.425E, 84.425F, and 84.425L Federal Program Name: Higher Education Emergency Relief Fund Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P425E200844, P425F202148, P425L200439, P425E204139, P425F203076, P425L200440 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Pierce College Los Angeles Trade Technical College Compliance Requirement: Reporting Criteria or Specific Requirements: Per U.S. Department of Education Notice of Public Posting Requirement of Grant Information for Higher Education Emergency Relief Fund (HEERF) Grantees: The Certification and Agreements for the Coronavirus Response and Relief Supplemental Appropriations Act of 2021 (CRRSAA) and American Rescue Plan (ARP) (a)(1) and (a)(4) funds provide that each institution applying for HEERF funds must promptly and timely provide a detailed accounting of the use and expenditure of the funds in such manner and with such frequency as the Secretary may require. Each HEERF participating institution must post the information listed below on the institution’s primary website, as an initial report under the CRRSAA and ARP (a)(1) and (a)(4) programs. This report is associated with the approved information collection under OMB control number 1801–0005. This information must appear in a format and location that is easily accessible to the public. This information must also be updated no later than 10 days after the end of each calendar quarter (September 30, December 31, March 31, and June 30) thereafter, unless the Secretary specifies an alternative method of reporting. Identified Condition: A. Untimely Posting of Quarterly Reports on the College’s Website We noted that Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and March 31, 2023, were not publicly posted on the college’s primary website. B. Incomplete Posting of Published Links Related to the Quarterly Report on the College’s Website We noted that Los Angeles Trade Technical College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending June 30, 2023, was not completely posted on the college’s primary website. The link to the quarterly report ending June 30, 2023, was published on time, but the link incorrectly redirects to the March 31, 2023, quarterly report. C. Inaccuracy of Quarterly Expenditures Reported on the College’s Website We noted that the expenditures reported in Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and June 30, 2023, were inaccurate. • For the quarter ending December 31, 2022, the expenditures were overstated by $284,593 due to the inclusion of the expenditures already reported from the previous quarter ending September 30, 2022. Per inquiry, the preparer inadvertently reported the expenditures on a cumulative basis. • For the quarter ending June 30, 2023, the expenditures were erroneously reported at zero amounts which resulted in an understatement by the actual expenditures incurred amounting to $2,007,950. Cause and Effect: Los Angeles Trade Technical College The reports were posted to the website on time. However, due to a clerical error, the link for the June 30, 2023, report directed users to the March 31, 2023, report. The effect was that, although the correct file existed on the server, there was no link for users to access it. This has been corrected. Los Angeles Pierce College The college experienced a break in the coordination of the report review which resulted in an error on the published report. There was also a misunderstanding about accumulating data from prior reported periods. Questioned Costs: None. Recommendation: We recommend that the campuses review their approval process prior to posting the reports online by having formal preparer and approver signoffs to ensure that the supporting documents correctly match the reports posted online. Additionally, we recommend the campuses enhance coordination between the report approver and the website manager to ensure that the reports are properly linked in the backend of the website and are timely posted if already prepared. Views of Responsible Officials and Planned Corrective Actions: Los Angeles Trade Technical College The cause of the incorrect link was a clerical error, and the error has since been corrected, the condition no longer exists and is resolved. Personnel Responsible for Implementation: LATTC – Charalambos Ziogas/Daniel Friedman Position of Responsible Personnel: VPAS/CFA Expected Date of Implementation: October 16, 2023 Los Angeles Pierce College The college will work with District staff to update the process of reviewing, approving, and publishing or providing the reports to appropriate websites and agencies. Personnel Responsible for Implementation: Ron Paquette Position of Responsible Personnel: Associate Vice President, Admin Services Expected Date of Implementation: November 1, 2023
Finding 2023-005
Finding FA 2023-005: Reporting – Untimely and Incomplete Posting of Quarterly Reports to the College’s Website and Inaccurate Reported Expenditures Captured in the Published Website’s Quarterly Reports. Federal Catalog Number: ALN 84.425E, 84.425F, and 84.425L Federal Program Name: Higher Education Emergency Relief Fund Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P425E200844, P425F202148, P425L200439, P425E204139, P425F203076, P425L200440 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Pierce College Los Angeles Trade Technical College Compliance Requirement: Reporting Criteria or Specific Requirements: Per U.S. Department of Education Notice of Public Posting Requirement of Grant Information for Higher Education Emergency Relief Fund (HEERF) Grantees: The Certification and Agreements for the Coronavirus Response and Relief Supplemental Appropriations Act of 2021 (CRRSAA) and American Rescue Plan (ARP) (a)(1) and (a)(4) funds provide that each institution applying for HEERF funds must promptly and timely provide a detailed accounting of the use and expenditure of the funds in such manner and with such frequency as the Secretary may require. Each HEERF participating institution must post the information listed below on the institution’s primary website, as an initial report under the CRRSAA and ARP (a)(1) and (a)(4) programs. This report is associated with the approved information collection under OMB control number 1801–0005. This information must appear in a format and location that is easily accessible to the public. This information must also be updated no later than 10 days after the end of each calendar quarter (September 30, December 31, March 31, and June 30) thereafter, unless the Secretary specifies an alternative method of reporting. Identified Condition: A. Untimely Posting of Quarterly Reports on the College’s Website We noted that Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and March 31, 2023, were not publicly posted on the college’s primary website. B. Incomplete Posting of Published Links Related to the Quarterly Report on the College’s Website We noted that Los Angeles Trade Technical College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending June 30, 2023, was not completely posted on the college’s primary website. The link to the quarterly report ending June 30, 2023, was published on time, but the link incorrectly redirects to the March 31, 2023, quarterly report. C. Inaccuracy of Quarterly Expenditures Reported on the College’s Website We noted that the expenditures reported in Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and June 30, 2023, were inaccurate. • For the quarter ending December 31, 2022, the expenditures were overstated by $284,593 due to the inclusion of the expenditures already reported from the previous quarter ending September 30, 2022. Per inquiry, the preparer inadvertently reported the expenditures on a cumulative basis. • For the quarter ending June 30, 2023, the expenditures were erroneously reported at zero amounts which resulted in an understatement by the actual expenditures incurred amounting to $2,007,950. Cause and Effect: Los Angeles Trade Technical College The reports were posted to the website on time. However, due to a clerical error, the link for the June 30, 2023, report directed users to the March 31, 2023, report. The effect was that, although the correct file existed on the server, there was no link for users to access it. This has been corrected. Los Angeles Pierce College The college experienced a break in the coordination of the report review which resulted in an error on the published report. There was also a misunderstanding about accumulating data from prior reported periods. Questioned Costs: None. Recommendation: We recommend that the campuses review their approval process prior to posting the reports online by having formal preparer and approver signoffs to ensure that the supporting documents correctly match the reports posted online. Additionally, we recommend the campuses enhance coordination between the report approver and the website manager to ensure that the reports are properly linked in the backend of the website and are timely posted if already prepared. Views of Responsible Officials and Planned Corrective Actions: Los Angeles Trade Technical College The cause of the incorrect link was a clerical error, and the error has since been corrected, the condition no longer exists and is resolved. Personnel Responsible for Implementation: LATTC – Charalambos Ziogas/Daniel Friedman Position of Responsible Personnel: VPAS/CFA Expected Date of Implementation: October 16, 2023 Los Angeles Pierce College The college will work with District staff to update the process of reviewing, approving, and publishing or providing the reports to appropriate websites and agencies. Personnel Responsible for Implementation: Ron Paquette Position of Responsible Personnel: Associate Vice President, Admin Services Expected Date of Implementation: November 1, 2023
Finding 2023-006
Finding FA 2023-006 Reporting: Untimely Submission of Quarterly Financial Reports Federal Program Information Federal Catalog Number: ALN 17.268 Federal Program Name: H-1B Job Training Grant Federal Agency: U.S. Department of Labor Passed Through Entity: N/A Federal Award Number: HG-33046-19-60-A-6 Federal Award Year: July 1, 2022 to June 30, 2023 Campus: West Los Angeles College Compliance Requirement: Reporting Criteria or Specific Requirement: Per the terms and conditions of the grant agreement, with the U.S. Department of Labor (DOL) – Employment and Training Administration (ETA), all ETA recipients are required to report quarterly financial data on the ETA-9130 Form. ETA-9130 reports are due no later than 45 calendar days after the end of each specified reporting quarter. Identified Condition: We noted that 2 out of 4 quarterly financial reports ETA-9130 were certified late on the U.S. Department of Labor website as follows: See schedule of findings and questioned costs. Per inquiry with the District, the Accounting Department attempted to certify the quarterly reports before the due date but encountered log-in issues on the U.S. DOL website which prevented certifying timely. The District requested a reporting extension from Joshua Hodges, Federal Project Officer for the Office of Special Initiatives and Demonstrations, U.S. DOL-ETA. Mr. Hodges did not authorize the extension and suggested submitting the quarterly reports via the Payment Management System (PMS) and coordinating with the agency’s technical team to resolve issues. Cause and Effect: The District’s approval officers were available to certify the reports, however, due to technical issues with the PMS system, certification could not be completed within the allotted time. Questioned Costs: None. Recommendation: We recommend the district schedule and finalize its quarterly reports submission a week or two before the due date to ensure that sufficient time is available to resolve unforeseen issues, such as the technical problems with the U.S DOL website. Otherwise, an authorized waiver from the agency must be secured for late reporting. Views of Responsible Officials and Planned Corrective Actions: The District will review reporting timelines and reschedule to allow additional time for unforeseen issues. Personnel Responsible for Implementation: Nyame-Tease Prempeh Position of Responsible Personnel: Assistant Director of Accounting Expected Date of Implementation: November 1, 2023
Finding 2023-001
Finding FA 2023-001: Eligibility: Incorrect Federal Pell Grant Amounts Awarded (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.063 Federal Program Name: Student Financial Assistance Cluster. Federal Pell Grant Program Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P063P200033 (Steve to Confirm) Federal Award Year: July 1, 2022, to June 30, 2023 Campus: West Los Angeles College Compliance Requirement: Eligibility Criteria or Specific Requirement: Per 34 Code of Federal Regulations (CFR) 690.62 Calculation of a Federal Pell Grant, the amount of a student’s Pell Grant for an academic year is based upon the payment and disbursement schedules published by the Secretary for each award year. The Uniform Guidance Compliance Supplement states that the Department of Education provides institutions with Payment and Disbursement Schedules for determining Pell awards each year. The Payment or Disbursement Schedule provides the maximum annual amount a student would receive for a full academic year for a given enrollment status, Expected Family Contribution (EFC), and Cost of Attendance (COA). The Payment Schedule is used to determine the annual award for full-time, three-quarter-time, half-time, and less-than-half-time students. 2 CFR section 200.303 requires that non-Federal entities receiving Federal awards establish and maintain internal control over the Federal awards that provide reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards. Identified Condition: Of the twenty (20) students selected for eligibility test work at West Los Angeles College, we noted the following: • 1 student had an incorrectly calculated Federal Pell Grant award, which resulted in an understatement of the disbursement to the student by $773. The student was eligible to receive $1,273 yet received $500 in Winter 2023. Cause and Effect: The institution has reviewed the student’s award and determined that the student was inadvertently disbursed $500 instead of $1,273 which is considered to be an underpayment. Once identified by the auditors, the award has since been corrected and refunded to the student. The Central Financial Aid Systems Unit and the District’s Student Information System (SIS) Information Technology department have reviewed both system controls and manual intervention, but the cause remains undetermined. Questioned Costs: See schedule of findings and questioned costs The District has a known net understatement of Pell Grant award disbursements of ($773). The projected total net understatement of the Pell Grant award disbursements is $186,345 as follows: See schedule of findings and questioned costs This is computed by dividing the error found in the samples per term (Fall/Winter term – net underpayment ($773) and Spring/Summer terms – $0) over the total Pell awards disbursed in the sample size per term (Winter term – $64,577, and Spring/Summer terms – $81,046) multiplied by the total Pell awards disbursed for the identified colleges per term (Fall/Winter term – $15,567,394 and Spring/Summer terms – $14,958,472). The computation is made on a per-term basis on a campus level and not on a district-wide level. Recommendation: We recommend that the District make the necessary system modifications to the PeopleSoft SIS to ensure student awards are properly calculated. This will help ensure that Federal Pell grants are properly awarded to students who meet the eligibility requirements. Views of Responsible Officials and Planned Corrective Actions: The District believes this error was an isolated incident and the effect is minimal as we performed an extensive review of all nine campuses’ Pell grant award disbursements for the term and found that this was the only similar award. The District will monitor disbursements and will perform reconciliation on a monthly basis. Personnel Responsible for Implementation: FA Office and the Central Financial Aid Unit. Position of Responsible Personnel: FA Managers Expected Date of Implementation: Already Implemented
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-002
Finding FA 2023-002: Special Tests and Provision: Return of Title IV Funds: Incorrect Calculation of Return of Title IV Funds, Untimely Notification of Grant Overpayment to Students and Secretary, Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date (Repeat Finding) Federal Program Information Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster; Federal Pell Grant Program Federal Direct Student Loans Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P007A210456, P063P215260, P268K225260 P007A210676, P063P215262, P268K225262, 21-C01-740 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles City College (Repeat Finding) East Los Angeles College (Repeat Finding) Los Angeles Harbor College (Repeat Finding) Los Angeles Mission College (Repeat Finding) Los Angeles Pierce College (Repeat Finding) Los Angeles Southwest College (Repeat Finding) Los Angeles Trade Technical College (Repeat Finding) Los Angeles Valley College (Repeat Finding) West Los Angeles College (Repeat Finding) Compliance Requirement: Special Tests and Provisions – Return of Title IV Funds Criteria or Specific Requirement: Per 34 Code of Federal Regulations 668.22 (a)(1) through (a)(5): When a recipient of Title IV grant or loan assistance withdraws from an institution during a payment period or period of enrollment in which the recipient began attendance, the institution must determine the amount of Title IV aid earned by the student as of the student’s withdrawal date. If the total amount of Title IV assistance earned by the student is less than the amount that was disbursed to the student or on his or her behalf as of the date of the institution’s determination that the student withdrew, the difference must be returned to the Title IV programs as outlined in this section and no additional disbursements may be made to the student for the payment period or period of enrollment. If the amount the student earned is greater than the amount disbursed, the difference between the amounts must be treated as a post-withdrawal disbursement. Per the Uniform Guidance Compliance Supplement: Withdrawal Date: If an institution is required to take attendance, the withdrawal date is the last date of academic attendance, as determined by the institution from its attendance records. An institution is required to take attendance if: a. The institution is required to take attendance for some or all of its students by an entity outside of the institution (such as the institution’s accrediting agency or state agency); b. The institution itself has a requirement that its instructors take attendance; or c. The institution or an outside entity has a requirement that can only be met by taking attendance or a comparable process, including, but not limited to, requiring that students in a program demonstrate attendance in the classes of that program or a portion of that program (34 CFR 668.22(b)(3)). Note: As provided in the Department’s Program Integrity Q&As for Return of Title IV Funds, the monitoring of whether online students log into classes does not by itself result in an institution being an institution that is required to take attendance for Title IV, HEA program purposes because monitoring logins alone is not monitoring academic engagement (as defined under 34 CFR 600.2). However, an institution that collects and maintains information about students’ online activities for the purpose of tracking academic engagement is considered to be an institution that is required to take attendance for programs involving such tracking if that tracking: 1. Involves monitoring student attendance in a synchronous class, lecture, recitation, or field or laboratory activity, physically or online via a distance education platform, where there is an opportunity for interaction between the instructor and students; or 2. Is used to administratively withdraw students or to enforce an institutional attendance policy. If an institution is not required to take attendance, the withdrawal date is (1) the date, as determined by the institution, that the student began the withdrawal process prescribed by the institution; (2) the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw; (3) if the student ceases attendance without providing official notification to the institution of his or her withdrawal, the midpoint of the payment period or, if applicable, the period of enrollment; (4) if the institution determines that a student did not begin the withdrawal process or otherwise notify the institution of the intent to withdraw due to illness, accident, grievous personal loss or other circumstances beyond the student’s control, the date the institution determines is related to that circumstance; (5) if a student does not return from an approved leave of absence, the date that the institution determines the student began the leave of absence; or (6) if the student takes an unapproved leave of absence, the date that the student began the leave of absence. Notwithstanding the above, an institution that is not required to take attendance may use as the withdrawal date, the last date of attendance at an academically related activity as documented by the institution (34 CFR668.22(c) and (l)). Title IV funds may be expended only towards the education of the students who can be proven to have been in attendance at the institution. In a distance education context, documenting that a student has logged into an online distance education platform or system is not sufficient, by itself, to demonstrate attendance by the student. To avoid returning all funds for a student that did not begin attendance, an institution must be able to document “attendance at any class.” To qualify as a last date of attendance for Return of Title IV purposes, an institution must demonstrate that a student participated in class or was otherwise engaged in an academically related activity, such as by contributing to an online discussion or initiating contact with a faculty member to ask a course-related question. Timing of Return of Title IV Funds Returns of Title IV funds are required to be deposited or transferred into the SFA account or electronic fund transfers initiated to ED as soon as possible, but no later than 45 days after the date the institution determines that the student withdrew. Returns by check are late if the check is issued more than 45 days after the institution determined the student withdrew or the date on the canceled check shows the check was endorsed more than 60 days after the date the institution determined that the student withdrew (34 CFR 668.173(b)). An institution that is not required to take attendance must determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the (1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew (34 CFR 668.22(j)). The institution must also notify the recipient of Title IV loans returned (34 CFR 685.306(a)(2)). Identified Condition: See schedule of findings and questioned costs Description A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College We noted 1 of 15 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out, or never began attendance that had an incorrect calculation of percentage of completion for Spring 2023 based on the student’s actual number of days completed during the enrollment period. The student was enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation. This error resulted in an overstatement of the institutional return by $13 and an overstatement of the student’s return by $21. The effect of the overstatement of the student’s return did not result in a questioned cost due to grant protection. Los Angeles Southwest College We noted 6 of 20 students selected for return of Title IV funds test work from the population of students who had withdrawn, dropped out or never began attendance for Fall 2022 that had had an incorrect calculation of the percentage of completion based on the student’s number of days completed during the enrollment period. For 3 students, these errors resulted in: • 1 student with an understatement of institutional return of $37 and an understatement of student return of $287. • 1 student with an understatement of institutional return of $11 and an understatement of student return of $197. • 1 student with an overstatement of institutional return of $10 and overstatement of student return of $20. The effect of the above overstatement of the student return did not result in questioned costs due to grant protection. For the remaining 3 students, we noted these students were enrolled in a session module course, which is a program that does not span the entire length of the payment period or period of enrollment. For this type of course, the student’s “actively enrolled days” should have been used in the return of Title IV funds calculation These errors resulted in: • 1 student with an overstatement of institutional return of $30. • 1 student with an overstatement of institutional return of $187. • 1 student with an overstatement of institutional return of $21 and an overstatement of student return of $9. The effect of the overstatement of the student return did not result in questioned costs due to grant protection. B. Untimely Notification of Grant Overpayment to the Secretary We noted that 1 out of 15 students selected for compliance test work at East Los Angeles College that owed an overpayment of $187 as a result of the student’s withdrawal was referred to the Secretary of the Department of Education beyond the 30-day timeframe from the date of the institution’s determination that the student withdrew and owed overpayments as a result of the student’s withdrawal. The required notification was submitted to the National Student Loan Data System (NSLDS) 260 days late. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The District has not yet implemented a formal process in place to monitor a student’s active participation in an online class and engagement in academic activities related to a distance education (DE) course in order to determine the reasonableness and accuracy of the student’s withdrawal date in the system. Currently, the withdrawal date used in the calculation of return to Title IV funds is the actual date the student initiates the withdrawal from the course in the system. Cause and Effect: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The Financial Aid Technician who processed the Spring 2023 return to Title IV had an oversight on that record during his review process. He had a family emergency during that period and had to leave in the middle of his review process. As a result, he forgot to deduct the spring break period from the total number of days for the enrollment period. This caused the calculation to be slightly off. Los Angeles Southwest College The person who was assigned the role of handling the return to Title IV program received limited training before he assumed the duties of return to Title IV calculations while also having to maintain his full load as a Financial Aid Technician. In addition to the limited training, there were changes as to how the program was administered and modules were calculated. This is an arduous task for a seasoned professional and a very challenging task for a novice at best. As with all newly assigned duties, given more time he would have become an expert in handling this program with minimal to zero errors. B. Untimely Notification of Grant Overpayment to the Secretary Every two weeks a new batch of return to Title IV report is released to be processed. The urgency for each report to be completed within a certain time frame created confusion for the NSLDS reporting due date. The same Financial Aid Technician was in charge of completing each step of the process. East Los Angeles College has the largest return to Title IV population. The demand to meet the deadline process caused an oversight for the NSLDS report. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date The calculation of return to Title IV funds is a complex process. The District has invested significant resources to improve the accuracy of the process. The District is centralizing and automating the return to Title IV process to minimize potential errors. However, there are still manual aspects to the process. In particular, distance education courses (DE) require faculty to withdraw students from Canvas, the online content delivery application, and Peoplesoft, the District’s student information system. Peoplesoft is used to maintain student records and for administering aid. Incorrect information entered into either system can lead to an incorrect return to Title IV calculation, resulting in institutional liability and/or disciplinary action taken by the U.S. Department of Education. Questioned Costs: A. Incorrect Calculation of Return to Title IV Funds See schedule of findings and questioned costs The District has a known net understatement of the amount due from the student of $434 and a known net overstatement of the amount due from the District of $213. The Projected total net understatement of amounts due from both the student and District is $4,006 as follows: See schedule of findings and questioned costs. This is computed by dividing the errors found in samples per term (Summer term – net understatement $0 and Fall/Spring terms – net understatement $221 over the total Pell awards disbursed in the sample size per term (Summer term – $5,000 and Fall/Spring terms – $176,293) multiplied by the total Pell awards disbursed for the identified colleges per term (Summer term – $67,595 and Fall/Spring terms – $3,195,662). The computation is made on a per-term basis on a campus level and not on a district-wide level. B. Untimely Notification of Grant Overpayment to the Secretary None. C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date None. Recommendation: We recommend that the District evaluate and improve its existing process and control procedures related to the return of Title IV funds, including notification and return due date requirements. This will help ensure 1) that the returns of Title IV funds are accurately calculated and 2) compliance with the notification and return due date requirements, in accordance with the Uniform Guidance and the Code of Federal Regulation. We recommend that the District implement additional controls at the course instructor level to effectively monitor student participation and engagement in academic activities related to DE courses in order for the instructor to determine the reasonableness and accuracy of a student’s withdrawal date listed in the system. This will help ensure that the withdrawal date used in the calculation of the return of Title IV funds is accurate. Views of Responsible Officials and Planned Corrective Actions: A. Incorrect Calculation of Return to Title IV Funds East Los Angeles College The corrective action plan that will be put in place is to develop a chart with a predetermined number of days based on the enrollment period. This will avoid the manual counting of the number of days for each student. We also trained an additional staff member to help with the workload. This will ensure that errors will be caught before the completion of the review process. Implementation will begin in Spring 2024. Staff is currently being trained. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Spring 2024 Los Angeles Southwest College The corrective action that we are implementing to remediate this finding is to move the campus return to Title IV processing to the “R2T4 Unit” at the District Office. Personnel Responsible for Implementation: Muniece R. Bruton Position of Responsible Personnel: Financial Aid Manager Expected Date of Implementation: December 1, 2023 B. Untimely Notification of Grant Overpayment to Students and Secretary East Los Angeles College The Corrective Action plan is being implemented by providing an additional staff member to assist with the return to Title IV process along with helping with the validation to ensure calculation, notification, and reporting to NSLDS will be completed on a timely basis. A reminder is set in the Financial Aid Technician Outlook calendar to help remind them to help meet the deadline of the reporting requirement. Personnel Responsible for Implementation: Gavino Herrera Position of Responsible Personnel: Financial Aid Supervisor Expected Date of Implementation: Fall 2023 C. Distance Education Courses – Lack of Formal Process to Determine Accuracy of Student Withdrawal Date In the fall 2022 term, the District implemented training for all Distance Education (DE) faculty members to reduce the risk of data entry errors. DE faculty receive follow-up notifications at the beginning of every term). In addition, the District attempted to conduct random sampling to ensure the accuracy of the data entry. However, the District did not have the authorization or resources to perform sampling during the audit period. As a result, the corrective action plan (CAP) was only partially implemented during fiscal year 2023. In fall 2023, the District secured the human resources and required authorizations to conduct random sampling of the faculty data entry. The District’s Internal Audit Department (IAD) is performing random sampling of all campuses. As of fall 2023, all corrective actions have been fully implemented. Personnel Responsible for Implementation: Steve Giorgi, Betsy Regalado, Keyna Crenshaw Position of Responsible Personnel: Financial Aid Manager, Associate Vice Chancellor of Educational Programs and Institutional Effectiveness, LACCD Supervising Auditor) Expected Date of Implementation: Fall 2023
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-003
Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat Finding) Federal Program Information Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268 Federal Program Name: Student Financial Assistance Cluster Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: Various Federal Award Year: July 1, 2022, to June 30, 2023 Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student Information Security Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program: • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: – Implement and periodically review access controls. – Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. – Encrypt customer information on the institution’s system and when it’s in transit. – Assess apps developed by the institution. – Implement multi-factor authentication for anyone accessing customer information on the institution’s system. – Dispose of customer information securely – Anticipate and evaluate changes to the information system or network. – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA. • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, ED expects that the Qualified Individual would be able to provide the written information security program that addresses the elements required for the written information security program to the auditors. Identified Conditions: A. Formally Establish and Document Risk Acceptance Process (repeat finding) The District’s Written Information Security Program does not explicitly define the criteria for accepting potential risks. A related process document, which was committed to be completed in the prior year, is still in development as of September 2023. B. Perform Regular Backup Restoration Tests (repeat finding) The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported with recovery considerations, steps, results, recovery challenges, and key recommendations to improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and Chief Information Officer. However, a key activity which is the actual backup restoration testing was not performed as part of the tabletop exercise or at any point during the audit period. C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding) Based on a test of controls to verify that access of terminated employees is timely removed in Active Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the terminated employees subject to testing: 1. 13 users were active in AD, three (3) of whom have logged in after their termination. 2. 76 users were still active in SAP, 19 of whom have logged in after their termination. 3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination. Moreover, while a privileged user access review is performed for AD, there is no review performed to check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to perform periodic access reviews for physical access in the data centers where the critical student information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards 16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. However, we noted that contracts for the following service providers were renewed by the District without sufficient information security review from 2020 to 2022 and the period thereafter. a. XAP – used for requesting, sending, and receiving electronic transcripts. b. Bank Mobile – used for student refund processing. c. Campus Logic – used for student online verification processing. These contracts were instituted before the adoption of the District’s Information Security Program and thus, were adopted and renewed thereafter without an Information Security Review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS A new compliance requirement, which requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District. F. Implement Data-at-Rest Encryption for Devices Storing Customer Data A new compliance requirement, which requires institutions to protect by encryption all students’ data held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS servers). G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that it was authorized and approved. Opening the production client, if not controlled, carries a significant risk since changes can be made directly to the production environment without transport requests, thereby circumventing any established change management controls. Cause and Effect: A. Formally Establish and Document Risk Acceptance Process The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s overall risk tolerance. B. Perform Regular Backup Restoration Tests Lack of proper restoration testing may hinder the District from recovering its data completely and accurately. C. Perform Timely Access Revocation and Regular Access Reviews Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the absence of user access reviews increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Non-performance of review may result in the District relying on IT service providers with ineffective information security controls making them susceptible to data breaches. A breach in a third-party system may expose the District to financial, operational, legal, and reputational damages. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner. F. Implement Data-at-Rest encryption for Devices Storing Customer Data Data that is held to devices without encryption is vulnerable to unauthorized access, especially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed. G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes Insufficient controls over client opening may result in the implementation of unauthorized changes directly into the production environment. This increases the risk that changes to the system may not follow the District’s change management process (documentation, authorization, testing, and approval) prior to the implementation of the change to the production environment. Recommendation: A. Formally Establish and Document Risk Acceptance Process We recommend that the District establish and implement the District’s Risk Acceptance process that details the criteria and conditions for accepting potential risks. We also recommend that the District ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in identifying, assessing, and mitigating risks. B. Perform Regular Backup Restoration Tests Together with the DR tabletop exercises, we recommend that backup restoration tests should be performed at least once per year. Detailed testing schedules should be drafted based on DRP specifications and required restoration of the critical systems. Documentation of such tests should be maintained for full management awareness and approval. C. Perform Timely Access Revocation and Regular Access Reviews 1. We recommend that the District revoke the access of terminated employees and review the activities performed by those accounts after their termination date to ensure the validity and appropriateness of activities/transactions performed by these accounts, if any. 2. Concurrently, the District should improve the account termination procedures to ensure that access to terminated employees is timely revoked. 3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses to data centers where these systems are hosted, are performed, and documented (for both regular and privileged users) to ensure that only valid and appropriate users remain in the system and have access to relevant information. The review may include, but is not limited to the following: a. Document management control over the completeness and accuracy of the reports used in the review. b. Define designated functions/roles to perform the review. c. Monitor timeliness of the performance of the review and execution of corrective actions as a result of the review D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards Revisit the District’s current practices for evaluating third-party provider’s information security to ensure that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve continuous monitoring, contractual provisions summarizing security requirements, and a strategy for addressing security vulnerabilities identified during reviews. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS Formally establish a process for logging and monitoring users’ activity which includes collection, retention, regular review, and documentation of user activity logs. The review should be aligned with the District’s access management practices to ensure that only authorized users are allowed to access information that is aligned with their functions and responsibilities. F. Implement Data-at-Rest encryption for Devices Storing Customer Data The District should establish and implement data-at-rest encryption for endpoint devices to ensure that data is inaccessible to unauthorized users in cases when logical and physical measures are compromised. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment Ensure that production client openings, particularly those related to direct production changes, strictly adhere to the District’s Change Management Procedure. These client openings and the related changes should be properly documented, authorized, and validated prior to implementation. Views of Responsible Officials and Planned Corrective Actions: A. Formally Establish and Document Risk Acceptance Process Requirements for risk assessments and risk acceptance processes to comply with GLBA were expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant risk assessment and advise on recommended changes to the District’s Written Information Security Plan (WISP) to comply with the new requirements. The findings and recommendations were presented to the District in October of 2023 and are currently under review. The District will initiate a project to formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by June 30, 2024. B. Perform Regular Backup Restoration Tests The District has engaged with a third party to build a testing environment to physically test restoration of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The District anticipates completion of the restoration by December 31st, 2023. With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to HANA. When this project is complete, the same test environment will be capable of performing physical recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024. C. Perform Timely Access Revocation and Regular Access Reviews With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged professional services consultants to address this item by automating the disablement of employee accounts based upon the termination of assignment. The work is currently underway. The target completion of the process is December 15, 2023. With respect to the SAP environment, the District has engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee accounts in SSO, SIS and SAP will be performed automatically based upon the termination of assignments according to criteria established by Human Resources. With respect to access reviews of SIS and SAP, the District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. With respect to physical access reviews, the District Information Security Team will perform an annual review of relevant operational protocols for data center access with the appropriate internal teams and perform an audit of data access at a minimum of once per year. The first annual protocol review will be completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024. D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE) leadership teams to help assure future relevant contracts are provided to the Information Security Team prior to renewal to allow for timely security review. E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS The District is currently researching the export of user audit logs to the District’s analysis environment to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the end of Q1 2024. F. Implement data encryption for Devices Storing Customer Data The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security controls, including the implementation of encryption of financial aid data within PeopleSoft. The results are pending. Based upon those recommendations, the District will work with encryption providers to develop and implement field-level encryption of financial aid data in SIS as appropriate. With respect to end-user devices storing sensitive data, the District recently adopted workstation hardening requirements that include whole-disk encryption for desktop and laptop computers used by personnel who routinely access sensitive information, including financial aid data. The District will implement the standards on workstations used by employees in financial aid and institutional research by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential risk. G. Strictly Implement Processes and Control for Direct Changes in the SAP Production Environment The requests for direct changes in SAP production will be tracked and included in our help desk requests so that an auditable trail can be created leading to the purpose and completion of the production changes. Additionally, direct production change requests will be reviewed and approved following the LACCD Change Control process. Minor updates that do not fall within the change control guidelines will require managerial approval within the help desk system. Personnel Responsible for Implementation: Carmen V. Lidz Position of Responsible Personnel: Vice Chancellor & Chief Information Officer
Finding 2023-004
Finding FA 2023-004: Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device – Failure to Submit URL to the Secretary of Education for Publication in a Centralized Database Accessible to the Public Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.063, and 93.364 Federal Program Name: Student Financial Assistance Cluster: Federal Supplement Educational Opportunity Grants (FSEOG) Federal Work-Study Program (FWS) Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Nursing Student Loans (NSL) Federal Agency: U.S. Department of Education (ED) Passed Through Entity: N/A Federal Award Number: FSEOG P007A210450, P007A210365, P007A210451, P007A210452, P007A210453, P007A210455, P007A210456, P007A210457, P007A210676 FWS P033A210450, P033A210365, P033A210451, P033A210452, P033A210453, P033A210455, P033A210456, P033A210457, P033A210676 Pell P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262 NSL P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Community College District Compliance Requirement: Special Tests and Provisions: Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device Criteria or Specific Requirements: Per 34 Code of Federal Regulations 668.164 Disbursing Funds: In Tier One (T1) arrangement, an institution located in a State has a contract with a third-party servicer under which the servicer performs one or more of the functions associated with processing direct payments of Title IV, HEA program funds on behalf of the institution. The institution or third-party servicer makes payments to one or more financial accounts that are offered to students under the contract; a financial account where information about the account is communicated directly to students by the third-party servicer, or the institution on behalf of or in conjunction with the third-party servicer; or a financial account where information about the account is communicated directly to students by an entity contracting with or affiliated with the third-party servicer. Institutions with a T1 arrangement should ensure that no later than September 1, 2017, and then no later than 60 days following the most recently completed award year thereafter, disclose conspicuously on the institution’s Website and in a format established by the Secretary of Education the total consideration for the most recently completed award year, monetary and non-monetary, paid or received by the parties under the terms of the contract; and for any year in which the institution’s enrolled students open 30 or more financial accounts under the T1 arrangement, the number of students who had financial accounts under the contract at any time during the most recently completed award year, and the mean and median of the actual costs incurred by those account holders. The institution should also provide the Secretary with an up-to-date Uniform Resource Locator (URL) for the contract and contract data as described above for publication in a centralized database accessible to the public. Identified Condition: We noted that the District’s URL link to the contract with BMTX, Inc. (BankMobile) and other required information was not included in the latest Cash Management Contracts Database published by ED on March 2022 as the District was unable to provide the URL link to ED for the award year ended June 30, 2023. Cause and Effect: Due to a miscommunication between the District staff and Bankmobile staff, the website link was not submitted to the Department of Education, although the report was published and available to the public. Questioned Costs: None. Recommendation: We recommend that the District review its roles and responsibilities with Bankmobile and implement control procedures to ensure that the District remains compliant with the requirements of Uniform Guidance and the Code of Federal Regulation. Views of Responsible Officials and Planned Corrective Actions: The District has taken responsibility for providing the Department of Education with the website link and will provide that going forward. Personnel Responsible for Implementation: Nyame-Tease Prempeh Position of Responsible Personnel: Assistant Director of Accounting Expected Date of Implementation: November 1, 2023
Finding 2023-004
Finding FA 2023-004: Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device – Failure to Submit URL to the Secretary of Education for Publication in a Centralized Database Accessible to the Public Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.063, and 93.364 Federal Program Name: Student Financial Assistance Cluster: Federal Supplement Educational Opportunity Grants (FSEOG) Federal Work-Study Program (FWS) Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Nursing Student Loans (NSL) Federal Agency: U.S. Department of Education (ED) Passed Through Entity: N/A Federal Award Number: FSEOG P007A210450, P007A210365, P007A210451, P007A210452, P007A210453, P007A210455, P007A210456, P007A210457, P007A210676 FWS P033A210450, P033A210365, P033A210451, P033A210452, P033A210453, P033A210455, P033A210456, P033A210457, P033A210676 Pell P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262 NSL P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Community College District Compliance Requirement: Special Tests and Provisions: Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device Criteria or Specific Requirements: Per 34 Code of Federal Regulations 668.164 Disbursing Funds: In Tier One (T1) arrangement, an institution located in a State has a contract with a third-party servicer under which the servicer performs one or more of the functions associated with processing direct payments of Title IV, HEA program funds on behalf of the institution. The institution or third-party servicer makes payments to one or more financial accounts that are offered to students under the contract; a financial account where information about the account is communicated directly to students by the third-party servicer, or the institution on behalf of or in conjunction with the third-party servicer; or a financial account where information about the account is communicated directly to students by an entity contracting with or affiliated with the third-party servicer. Institutions with a T1 arrangement should ensure that no later than September 1, 2017, and then no later than 60 days following the most recently completed award year thereafter, disclose conspicuously on the institution’s Website and in a format established by the Secretary of Education the total consideration for the most recently completed award year, monetary and non-monetary, paid or received by the parties under the terms of the contract; and for any year in which the institution’s enrolled students open 30 or more financial accounts under the T1 arrangement, the number of students who had financial accounts under the contract at any time during the most recently completed award year, and the mean and median of the actual costs incurred by those account holders. The institution should also provide the Secretary with an up-to-date Uniform Resource Locator (URL) for the contract and contract data as described above for publication in a centralized database accessible to the public. Identified Condition: We noted that the District’s URL link to the contract with BMTX, Inc. (BankMobile) and other required information was not included in the latest Cash Management Contracts Database published by ED on March 2022 as the District was unable to provide the URL link to ED for the award year ended June 30, 2023. Cause and Effect: Due to a miscommunication between the District staff and Bankmobile staff, the website link was not submitted to the Department of Education, although the report was published and available to the public. Questioned Costs: None. Recommendation: We recommend that the District review its roles and responsibilities with Bankmobile and implement control procedures to ensure that the District remains compliant with the requirements of Uniform Guidance and the Code of Federal Regulation. Views of Responsible Officials and Planned Corrective Actions: The District has taken responsibility for providing the Department of Education with the website link and will provide that going forward. Personnel Responsible for Implementation: Nyame-Tease Prempeh Position of Responsible Personnel: Assistant Director of Accounting Expected Date of Implementation: November 1, 2023
Finding 2023-004
Finding FA 2023-004: Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device – Failure to Submit URL to the Secretary of Education for Publication in a Centralized Database Accessible to the Public Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.063, and 93.364 Federal Program Name: Student Financial Assistance Cluster: Federal Supplement Educational Opportunity Grants (FSEOG) Federal Work-Study Program (FWS) Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Nursing Student Loans (NSL) Federal Agency: U.S. Department of Education (ED) Passed Through Entity: N/A Federal Award Number: FSEOG P007A210450, P007A210365, P007A210451, P007A210452, P007A210453, P007A210455, P007A210456, P007A210457, P007A210676 FWS P033A210450, P033A210365, P033A210451, P033A210452, P033A210453, P033A210455, P033A210456, P033A210457, P033A210676 Pell P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262 NSL P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Community College District Compliance Requirement: Special Tests and Provisions: Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device Criteria or Specific Requirements: Per 34 Code of Federal Regulations 668.164 Disbursing Funds: In Tier One (T1) arrangement, an institution located in a State has a contract with a third-party servicer under which the servicer performs one or more of the functions associated with processing direct payments of Title IV, HEA program funds on behalf of the institution. The institution or third-party servicer makes payments to one or more financial accounts that are offered to students under the contract; a financial account where information about the account is communicated directly to students by the third-party servicer, or the institution on behalf of or in conjunction with the third-party servicer; or a financial account where information about the account is communicated directly to students by an entity contracting with or affiliated with the third-party servicer. Institutions with a T1 arrangement should ensure that no later than September 1, 2017, and then no later than 60 days following the most recently completed award year thereafter, disclose conspicuously on the institution’s Website and in a format established by the Secretary of Education the total consideration for the most recently completed award year, monetary and non-monetary, paid or received by the parties under the terms of the contract; and for any year in which the institution’s enrolled students open 30 or more financial accounts under the T1 arrangement, the number of students who had financial accounts under the contract at any time during the most recently completed award year, and the mean and median of the actual costs incurred by those account holders. The institution should also provide the Secretary with an up-to-date Uniform Resource Locator (URL) for the contract and contract data as described above for publication in a centralized database accessible to the public. Identified Condition: We noted that the District’s URL link to the contract with BMTX, Inc. (BankMobile) and other required information was not included in the latest Cash Management Contracts Database published by ED on March 2022 as the District was unable to provide the URL link to ED for the award year ended June 30, 2023. Cause and Effect: Due to a miscommunication between the District staff and Bankmobile staff, the website link was not submitted to the Department of Education, although the report was published and available to the public. Questioned Costs: None. Recommendation: We recommend that the District review its roles and responsibilities with Bankmobile and implement control procedures to ensure that the District remains compliant with the requirements of Uniform Guidance and the Code of Federal Regulation. Views of Responsible Officials and Planned Corrective Actions: The District has taken responsibility for providing the Department of Education with the website link and will provide that going forward. Personnel Responsible for Implementation: Nyame-Tease Prempeh Position of Responsible Personnel: Assistant Director of Accounting Expected Date of Implementation: November 1, 2023
Finding 2023-004
Finding FA 2023-004: Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device – Failure to Submit URL to the Secretary of Education for Publication in a Centralized Database Accessible to the Public Federal Catalog Number: ALN 84.007, 84.033, 84.038, 84.063, and 93.364 Federal Program Name: Student Financial Assistance Cluster: Federal Supplement Educational Opportunity Grants (FSEOG) Federal Work-Study Program (FWS) Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Nursing Student Loans (NSL) Federal Agency: U.S. Department of Education (ED) Passed Through Entity: N/A Federal Award Number: FSEOG P007A210450, P007A210365, P007A210451, P007A210452, P007A210453, P007A210455, P007A210456, P007A210457, P007A210676 FWS P033A210450, P033A210365, P033A210451, P033A210452, P033A210453, P033A210455, P033A210456, P033A210457, P033A210676 Pell P063P210033, P063P215263, P063P210034, P063P210658, P063P210035, P063P215261, P063P215260, P063P210036, P063P215262 NSL P268K220033, P268K225263, P268K220034, P268K220658, P268K220035, P268K225261, P268K225260, P268K220036, P268K225262 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Community College District Compliance Requirement: Special Tests and Provisions: Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device Criteria or Specific Requirements: Per 34 Code of Federal Regulations 668.164 Disbursing Funds: In Tier One (T1) arrangement, an institution located in a State has a contract with a third-party servicer under which the servicer performs one or more of the functions associated with processing direct payments of Title IV, HEA program funds on behalf of the institution. The institution or third-party servicer makes payments to one or more financial accounts that are offered to students under the contract; a financial account where information about the account is communicated directly to students by the third-party servicer, or the institution on behalf of or in conjunction with the third-party servicer; or a financial account where information about the account is communicated directly to students by an entity contracting with or affiliated with the third-party servicer. Institutions with a T1 arrangement should ensure that no later than September 1, 2017, and then no later than 60 days following the most recently completed award year thereafter, disclose conspicuously on the institution’s Website and in a format established by the Secretary of Education the total consideration for the most recently completed award year, monetary and non-monetary, paid or received by the parties under the terms of the contract; and for any year in which the institution’s enrolled students open 30 or more financial accounts under the T1 arrangement, the number of students who had financial accounts under the contract at any time during the most recently completed award year, and the mean and median of the actual costs incurred by those account holders. The institution should also provide the Secretary with an up-to-date Uniform Resource Locator (URL) for the contract and contract data as described above for publication in a centralized database accessible to the public. Identified Condition: We noted that the District’s URL link to the contract with BMTX, Inc. (BankMobile) and other required information was not included in the latest Cash Management Contracts Database published by ED on March 2022 as the District was unable to provide the URL link to ED for the award year ended June 30, 2023. Cause and Effect: Due to a miscommunication between the District staff and Bankmobile staff, the website link was not submitted to the Department of Education, although the report was published and available to the public. Questioned Costs: None. Recommendation: We recommend that the District review its roles and responsibilities with Bankmobile and implement control procedures to ensure that the District remains compliant with the requirements of Uniform Guidance and the Code of Federal Regulation. Views of Responsible Officials and Planned Corrective Actions: The District has taken responsibility for providing the Department of Education with the website link and will provide that going forward. Personnel Responsible for Implementation: Nyame-Tease Prempeh Position of Responsible Personnel: Assistant Director of Accounting Expected Date of Implementation: November 1, 2023
Finding 2023-005
Finding FA 2023-005: Reporting – Untimely and Incomplete Posting of Quarterly Reports to the College’s Website and Inaccurate Reported Expenditures Captured in the Published Website’s Quarterly Reports. Federal Catalog Number: ALN 84.425E, 84.425F, and 84.425L Federal Program Name: Higher Education Emergency Relief Fund Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P425E200844, P425F202148, P425L200439, P425E204139, P425F203076, P425L200440 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Pierce College Los Angeles Trade Technical College Compliance Requirement: Reporting Criteria or Specific Requirements: Per U.S. Department of Education Notice of Public Posting Requirement of Grant Information for Higher Education Emergency Relief Fund (HEERF) Grantees: The Certification and Agreements for the Coronavirus Response and Relief Supplemental Appropriations Act of 2021 (CRRSAA) and American Rescue Plan (ARP) (a)(1) and (a)(4) funds provide that each institution applying for HEERF funds must promptly and timely provide a detailed accounting of the use and expenditure of the funds in such manner and with such frequency as the Secretary may require. Each HEERF participating institution must post the information listed below on the institution’s primary website, as an initial report under the CRRSAA and ARP (a)(1) and (a)(4) programs. This report is associated with the approved information collection under OMB control number 1801–0005. This information must appear in a format and location that is easily accessible to the public. This information must also be updated no later than 10 days after the end of each calendar quarter (September 30, December 31, March 31, and June 30) thereafter, unless the Secretary specifies an alternative method of reporting. Identified Condition: A. Untimely Posting of Quarterly Reports on the College’s Website We noted that Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and March 31, 2023, were not publicly posted on the college’s primary website. B. Incomplete Posting of Published Links Related to the Quarterly Report on the College’s Website We noted that Los Angeles Trade Technical College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending June 30, 2023, was not completely posted on the college’s primary website. The link to the quarterly report ending June 30, 2023, was published on time, but the link incorrectly redirects to the March 31, 2023, quarterly report. C. Inaccuracy of Quarterly Expenditures Reported on the College’s Website We noted that the expenditures reported in Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and June 30, 2023, were inaccurate. • For the quarter ending December 31, 2022, the expenditures were overstated by $284,593 due to the inclusion of the expenditures already reported from the previous quarter ending September 30, 2022. Per inquiry, the preparer inadvertently reported the expenditures on a cumulative basis. • For the quarter ending June 30, 2023, the expenditures were erroneously reported at zero amounts which resulted in an understatement by the actual expenditures incurred amounting to $2,007,950. Cause and Effect: Los Angeles Trade Technical College The reports were posted to the website on time. However, due to a clerical error, the link for the June 30, 2023, report directed users to the March 31, 2023, report. The effect was that, although the correct file existed on the server, there was no link for users to access it. This has been corrected. Los Angeles Pierce College The college experienced a break in the coordination of the report review which resulted in an error on the published report. There was also a misunderstanding about accumulating data from prior reported periods. Questioned Costs: None. Recommendation: We recommend that the campuses review their approval process prior to posting the reports online by having formal preparer and approver signoffs to ensure that the supporting documents correctly match the reports posted online. Additionally, we recommend the campuses enhance coordination between the report approver and the website manager to ensure that the reports are properly linked in the backend of the website and are timely posted if already prepared. Views of Responsible Officials and Planned Corrective Actions: Los Angeles Trade Technical College The cause of the incorrect link was a clerical error, and the error has since been corrected, the condition no longer exists and is resolved. Personnel Responsible for Implementation: LATTC – Charalambos Ziogas/Daniel Friedman Position of Responsible Personnel: VPAS/CFA Expected Date of Implementation: October 16, 2023 Los Angeles Pierce College The college will work with District staff to update the process of reviewing, approving, and publishing or providing the reports to appropriate websites and agencies. Personnel Responsible for Implementation: Ron Paquette Position of Responsible Personnel: Associate Vice President, Admin Services Expected Date of Implementation: November 1, 2023
Finding 2023-005
Finding FA 2023-005: Reporting – Untimely and Incomplete Posting of Quarterly Reports to the College’s Website and Inaccurate Reported Expenditures Captured in the Published Website’s Quarterly Reports. Federal Catalog Number: ALN 84.425E, 84.425F, and 84.425L Federal Program Name: Higher Education Emergency Relief Fund Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P425E200844, P425F202148, P425L200439, P425E204139, P425F203076, P425L200440 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Pierce College Los Angeles Trade Technical College Compliance Requirement: Reporting Criteria or Specific Requirements: Per U.S. Department of Education Notice of Public Posting Requirement of Grant Information for Higher Education Emergency Relief Fund (HEERF) Grantees: The Certification and Agreements for the Coronavirus Response and Relief Supplemental Appropriations Act of 2021 (CRRSAA) and American Rescue Plan (ARP) (a)(1) and (a)(4) funds provide that each institution applying for HEERF funds must promptly and timely provide a detailed accounting of the use and expenditure of the funds in such manner and with such frequency as the Secretary may require. Each HEERF participating institution must post the information listed below on the institution’s primary website, as an initial report under the CRRSAA and ARP (a)(1) and (a)(4) programs. This report is associated with the approved information collection under OMB control number 1801–0005. This information must appear in a format and location that is easily accessible to the public. This information must also be updated no later than 10 days after the end of each calendar quarter (September 30, December 31, March 31, and June 30) thereafter, unless the Secretary specifies an alternative method of reporting. Identified Condition: A. Untimely Posting of Quarterly Reports on the College’s Website We noted that Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and March 31, 2023, were not publicly posted on the college’s primary website. B. Incomplete Posting of Published Links Related to the Quarterly Report on the College’s Website We noted that Los Angeles Trade Technical College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending June 30, 2023, was not completely posted on the college’s primary website. The link to the quarterly report ending June 30, 2023, was published on time, but the link incorrectly redirects to the March 31, 2023, quarterly report. C. Inaccuracy of Quarterly Expenditures Reported on the College’s Website We noted that the expenditures reported in Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and June 30, 2023, were inaccurate. • For the quarter ending December 31, 2022, the expenditures were overstated by $284,593 due to the inclusion of the expenditures already reported from the previous quarter ending September 30, 2022. Per inquiry, the preparer inadvertently reported the expenditures on a cumulative basis. • For the quarter ending June 30, 2023, the expenditures were erroneously reported at zero amounts which resulted in an understatement by the actual expenditures incurred amounting to $2,007,950. Cause and Effect: Los Angeles Trade Technical College The reports were posted to the website on time. However, due to a clerical error, the link for the June 30, 2023, report directed users to the March 31, 2023, report. The effect was that, although the correct file existed on the server, there was no link for users to access it. This has been corrected. Los Angeles Pierce College The college experienced a break in the coordination of the report review which resulted in an error on the published report. There was also a misunderstanding about accumulating data from prior reported periods. Questioned Costs: None. Recommendation: We recommend that the campuses review their approval process prior to posting the reports online by having formal preparer and approver signoffs to ensure that the supporting documents correctly match the reports posted online. Additionally, we recommend the campuses enhance coordination between the report approver and the website manager to ensure that the reports are properly linked in the backend of the website and are timely posted if already prepared. Views of Responsible Officials and Planned Corrective Actions: Los Angeles Trade Technical College The cause of the incorrect link was a clerical error, and the error has since been corrected, the condition no longer exists and is resolved. Personnel Responsible for Implementation: LATTC – Charalambos Ziogas/Daniel Friedman Position of Responsible Personnel: VPAS/CFA Expected Date of Implementation: October 16, 2023 Los Angeles Pierce College The college will work with District staff to update the process of reviewing, approving, and publishing or providing the reports to appropriate websites and agencies. Personnel Responsible for Implementation: Ron Paquette Position of Responsible Personnel: Associate Vice President, Admin Services Expected Date of Implementation: November 1, 2023
Finding 2023-005
Finding FA 2023-005: Reporting – Untimely and Incomplete Posting of Quarterly Reports to the College’s Website and Inaccurate Reported Expenditures Captured in the Published Website’s Quarterly Reports. Federal Catalog Number: ALN 84.425E, 84.425F, and 84.425L Federal Program Name: Higher Education Emergency Relief Fund Federal Agency: U.S. Department of Education Passed Through Entity: N/A Federal Award Number: P425E200844, P425F202148, P425L200439, P425E204139, P425F203076, P425L200440 Federal Award Year: July 1, 2022, to June 30, 2023 Campuses: Los Angeles Pierce College Los Angeles Trade Technical College Compliance Requirement: Reporting Criteria or Specific Requirements: Per U.S. Department of Education Notice of Public Posting Requirement of Grant Information for Higher Education Emergency Relief Fund (HEERF) Grantees: The Certification and Agreements for the Coronavirus Response and Relief Supplemental Appropriations Act of 2021 (CRRSAA) and American Rescue Plan (ARP) (a)(1) and (a)(4) funds provide that each institution applying for HEERF funds must promptly and timely provide a detailed accounting of the use and expenditure of the funds in such manner and with such frequency as the Secretary may require. Each HEERF participating institution must post the information listed below on the institution’s primary website, as an initial report under the CRRSAA and ARP (a)(1) and (a)(4) programs. This report is associated with the approved information collection under OMB control number 1801–0005. This information must appear in a format and location that is easily accessible to the public. This information must also be updated no later than 10 days after the end of each calendar quarter (September 30, December 31, March 31, and June 30) thereafter, unless the Secretary specifies an alternative method of reporting. Identified Condition: A. Untimely Posting of Quarterly Reports on the College’s Website We noted that Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and March 31, 2023, were not publicly posted on the college’s primary website. B. Incomplete Posting of Published Links Related to the Quarterly Report on the College’s Website We noted that Los Angeles Trade Technical College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending June 30, 2023, was not completely posted on the college’s primary website. The link to the quarterly report ending June 30, 2023, was published on time, but the link incorrectly redirects to the March 31, 2023, quarterly report. C. Inaccuracy of Quarterly Expenditures Reported on the College’s Website We noted that the expenditures reported in Los Angeles Pierce College’s Quarterly Budget and Expenditure Report for all HEERF I, II, and III grant funds covering the quarter ending December 31, 2022, and June 30, 2023, were inaccurate. • For the quarter ending December 31, 2022, the expenditures were overstated by $284,593 due to the inclusion of the expenditures already reported from the previous quarter ending September 30, 2022. Per inquiry, the preparer inadvertently reported the expenditures on a cumulative basis. • For the quarter ending June 30, 2023, the expenditures were erroneously reported at zero amounts which resulted in an understatement by the actual expenditures incurred amounting to $2,007,950. Cause and Effect: Los Angeles Trade Technical College The reports were posted to the website on time. However, due to a clerical error, the link for the June 30, 2023, report directed users to the March 31, 2023, report. The effect was that, although the correct file existed on the server, there was no link for users to access it. This has been corrected. Los Angeles Pierce College The college experienced a break in the coordination of the report review which resulted in an error on the published report. There was also a misunderstanding about accumulating data from prior reported periods. Questioned Costs: None. Recommendation: We recommend that the campuses review their approval process prior to posting the reports online by having formal preparer and approver signoffs to ensure that the supporting documents correctly match the reports posted online. Additionally, we recommend the campuses enhance coordination between the report approver and the website manager to ensure that the reports are properly linked in the backend of the website and are timely posted if already prepared. Views of Responsible Officials and Planned Corrective Actions: Los Angeles Trade Technical College The cause of the incorrect link was a clerical error, and the error has since been corrected, the condition no longer exists and is resolved. Personnel Responsible for Implementation: LATTC – Charalambos Ziogas/Daniel Friedman Position of Responsible Personnel: VPAS/CFA Expected Date of Implementation: October 16, 2023 Los Angeles Pierce College The college will work with District staff to update the process of reviewing, approving, and publishing or providing the reports to appropriate websites and agencies. Personnel Responsible for Implementation: Ron Paquette Position of Responsible Personnel: Associate Vice President, Admin Services Expected Date of Implementation: November 1, 2023
Finding 2023-006
Finding FA 2023-006 Reporting: Untimely Submission of Quarterly Financial Reports Federal Program Information Federal Catalog Number: ALN 17.268 Federal Program Name: H-1B Job Training Grant Federal Agency: U.S. Department of Labor Passed Through Entity: N/A Federal Award Number: HG-33046-19-60-A-6 Federal Award Year: July 1, 2022 to June 30, 2023 Campus: West Los Angeles College Compliance Requirement: Reporting Criteria or Specific Requirement: Per the terms and conditions of the grant agreement, with the U.S. Department of Labor (DOL) – Employment and Training Administration (ETA), all ETA recipients are required to report quarterly financial data on the ETA-9130 Form. ETA-9130 reports are due no later than 45 calendar days after the end of each specified reporting quarter. Identified Condition: We noted that 2 out of 4 quarterly financial reports ETA-9130 were certified late on the U.S. Department of Labor website as follows: See schedule of findings and questioned costs. Per inquiry with the District, the Accounting Department attempted to certify the quarterly reports before the due date but encountered log-in issues on the U.S. DOL website which prevented certifying timely. The District requested a reporting extension from Joshua Hodges, Federal Project Officer for the Office of Special Initiatives and Demonstrations, U.S. DOL-ETA. Mr. Hodges did not authorize the extension and suggested submitting the quarterly reports via the Payment Management System (PMS) and coordinating with the agency’s technical team to resolve issues. Cause and Effect: The District’s approval officers were available to certify the reports, however, due to technical issues with the PMS system, certification could not be completed within the allotted time. Questioned Costs: None. Recommendation: We recommend the district schedule and finalize its quarterly reports submission a week or two before the due date to ensure that sufficient time is available to resolve unforeseen issues, such as the technical problems with the U.S DOL website. Otherwise, an authorized waiver from the agency must be secured for late reporting. Views of Responsible Officials and Planned Corrective Actions: The District will review reporting timelines and reschedule to allow additional time for unforeseen issues. Personnel Responsible for Implementation: Nyame-Tease Prempeh Position of Responsible Personnel: Assistant Director of Accounting Expected Date of Implementation: November 1, 2023