FAC Explorer

Audit 290098

FY End
2023-06-30
Total Expended
$6.33M
Findings
10
Programs
5
Organization: Calumet College of St. Joseph (IN)
Year: 2023 Accepted: 2024-02-12
Auditor: Rsm US LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
366921 2023-001 Significant Deficiency - N
366922 2023-001 Significant Deficiency - N
366923 2023-001 Significant Deficiency - N
366924 2023-001 Significant Deficiency - N
366925 2023-002 Significant Deficiency - N
943363 2023-001 Significant Deficiency - N
943364 2023-001 Significant Deficiency - N
943365 2023-001 Significant Deficiency - N
943366 2023-001 Significant Deficiency - N
943367 2023-002 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $3.21M Yes 2
84.063 Federal Pell Grant Program $1.48M Yes 1
84.031 Higher Education_institutional Aid $289,719 - 0
84.007 Federal Supplemental Educational Opportunity Grants $74,585 Yes 1
84.033 Federal Work-Study Program $50,628 Yes 1

Contacts

Name Title Type
MGE9NF4R7B34 Lynn Miskus Auditee
2194734310 Craig Wories Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: The Schedule has been prepared using the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts, if any, shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The indirect cost rate used to allocate to grant programs during the fiscal year ended June 30, 2023, is based on a federally negotiated institution for higher education rate agreement. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal awards activity of Calumet College of St. Joseph under programs of the federal government for the year ended June 30, 2023. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of Calumet College of St. Joseph, it is not intended to and does not present the financial position, changes in net assets, or cash flows of Calumet College of St. Joseph. All programs are for the contract period July 1, 2022 to June 30, 2023.
Title: Summary of Significant Accounting Policies Accounting Policies: The Schedule has been prepared using the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts, if any, shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The indirect cost rate used to allocate to grant programs during the fiscal year ended June 30, 2023, is based on a federally negotiated institution for higher education rate agreement. The Schedule has been prepared using the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts, if any, shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. No funds were identified as having been provided to subrecipients by Calumet College of St. Joseph under the meaning of Sections 200.92 and 200.93 of Title 2 CFR Part 200 and, accordingly, no funds identified in the schedule are attributable to subrecipient entities as required under Section 200.330(a) of Title 2 CFR Part 200. Calumet College of St. Joseph does not participate in the Perkins loan program.
Title: Indirect Cost Rate Accounting Policies: The Schedule has been prepared using the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts, if any, shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The indirect cost rate used to allocate to grant programs during the fiscal year ended June 30, 2023, is based on a federally negotiated institution for higher education rate agreement. The College has elected not to use the 10% de minimis indirect cost rate as allowed under the Uniform Guidance. The indirect cost rate used to allocate to grant programs during the fiscal year ended June 30, 2023, is based on a federally negotiated institution for higher education rate agreement.
Title: Insurance Accounting Policies: The Schedule has been prepared using the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts, if any, shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The indirect cost rate used to allocate to grant programs during the fiscal year ended June 30, 2023, is based on a federally negotiated institution for higher education rate agreement. Calumet College of St. Joseph maintains property and liability insurance which management believes is sufficient to meet its needs. None of the insurance coverages are directly funded by federal awards.
Title: Noncash Assistance Accounting Policies: The Schedule has been prepared using the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts, if any, shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The indirect cost rate used to allocate to grant programs during the fiscal year ended June 30, 2023, is based on a federally negotiated institution for higher education rate agreement. There was no noncash assistance received by Calumet College of St. Joseph related to federal awards during the year ended June 30, 2023.

Finding Details

Finding 2023-001
Criteria: 2 CFR 200.303(a) requires that “the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality, or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. • The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The institution has not developed policies and procedures to oversee information service providers. Cause: The institution has not created or implemented a comprehensive information security policy. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the institution complete a comprehensive risk assessment, create a comprehensive information security policy based on that assessment, and implement those policies through the use of safeguards and other policies and procedures. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2023-001
Criteria: 2 CFR 200.303(a) requires that “the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality, or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. • The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The institution has not developed policies and procedures to oversee information service providers. Cause: The institution has not created or implemented a comprehensive information security policy. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the institution complete a comprehensive risk assessment, create a comprehensive information security policy based on that assessment, and implement those policies through the use of safeguards and other policies and procedures. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2023-001
Criteria: 2 CFR 200.303(a) requires that “the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality, or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. • The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The institution has not developed policies and procedures to oversee information service providers. Cause: The institution has not created or implemented a comprehensive information security policy. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the institution complete a comprehensive risk assessment, create a comprehensive information security policy based on that assessment, and implement those policies through the use of safeguards and other policies and procedures. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2023-001
Criteria: 2 CFR 200.303(a) requires that “the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality, or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. • The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The institution has not developed policies and procedures to oversee information service providers. Cause: The institution has not created or implemented a comprehensive information security policy. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the institution complete a comprehensive risk assessment, create a comprehensive information security policy based on that assessment, and implement those policies through the use of safeguards and other policies and procedures. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2023-002
Criteria: Per 34 CFR 685.309, Schools are required to accurately report enrollment information under the Direct Loan program via the NSLDS. Enrollment status changes for students should be reported to NSLDS within 30 days, or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the effective change in status, or the date of determination if the date of determination was determined after the withdrawal date. At a minimum, schools are required to certify enrollment every 60 days. The NSLDS Enrollment Reporting Guide further states that the information that is reported to the Department of Education should be accurate and timely. Per the NSLDS Enrollment Reporting Guide section 4.4.3, when a student withdraws during a term, the effective date for the withdrawn status is the withdrawal date used by the institution. In the case of a student who completes a term does not return for the next term, leaving the course of study uncompleted, the effective date of the withdrawn status is the final day of the term in which the student was last enrolled. The effective date for graduation status is the date that the school assigns to the completion/graduation. Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure enrollment reporting is completed properly. Condition: During our testing of students that were disbursed financial aid during the 2022-2023 school year, there were 13 instances of students that withdrew or graduated during and after the Spring 2023 semester that were not reflected in the NSLDS within 60 days. RSM observed through Empower (student portal) and other internal reports (including transcripts) that these students should have shown statuses of graduated/withdrawn on their NSLDS reports as of the audit period. Additionally, we noted that the NSLDS report showed three students who withdrew from the College but the NSLDS reflected an incorrect Enrollment Effective date for both campus-level and program-level, as the students withdrew during March and April of the Spring 2023 semester but the campus-level enrollment effective date listed on the NSLDS report was May 5, 2023 (the last day of the Spring 2023 semester) while the program-level enrollment effective date listed was December 16, 2022. Cause: The institution did not properly report the Spring 2023 students with enrollment status changes to the Clearinghouse/NSLDS by leaving out the program level information, which created error codes that were not properly addressed by the institution. The dates reported for the three student withdraws was not correctly documented. Effect: The administration of the Title IV program depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Without accurate and timely NSLDS reporting there is a diminished ability for the Department of Education to properly administer the program. Context: 13 of the 13 status changes tested. In accordance with the OMB Compliance Supplement, our sample did not include any enrollment reporting data due from July 19, 2022 through February 28, 2023 in our evaluation of the enrollment reporting requirements due to the NSLDS system modernization. Our sample was not statistically valid. Questioned Costs: None. Repeat Finding: No. Recommendation: Management should review the controls and procedures in place to verify that accurate, timely, and complete data is being submitted to NSLDS. This should include separation of the preparation of data and review and completion of the submission, as well as additional methods to help identify errors. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2023-001
Criteria: 2 CFR 200.303(a) requires that “the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality, or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. • The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The institution has not developed policies and procedures to oversee information service providers. Cause: The institution has not created or implemented a comprehensive information security policy. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the institution complete a comprehensive risk assessment, create a comprehensive information security policy based on that assessment, and implement those policies through the use of safeguards and other policies and procedures. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2023-001
Criteria: 2 CFR 200.303(a) requires that “the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality, or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. • The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The institution has not developed policies and procedures to oversee information service providers. Cause: The institution has not created or implemented a comprehensive information security policy. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the institution complete a comprehensive risk assessment, create a comprehensive information security policy based on that assessment, and implement those policies through the use of safeguards and other policies and procedures. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2023-001
Criteria: 2 CFR 200.303(a) requires that “the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality, or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. • The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The institution has not developed policies and procedures to oversee information service providers. Cause: The institution has not created or implemented a comprehensive information security policy. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the institution complete a comprehensive risk assessment, create a comprehensive information security policy based on that assessment, and implement those policies through the use of safeguards and other policies and procedures. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2023-001
Criteria: 2 CFR 200.303(a) requires that “the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality, or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. • The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. • The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. • The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. • The institution has not developed policies and procedures to oversee information service providers. Cause: The institution has not created or implemented a comprehensive information security policy. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the institution complete a comprehensive risk assessment, create a comprehensive information security policy based on that assessment, and implement those policies through the use of safeguards and other policies and procedures. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2023-002
Criteria: Per 34 CFR 685.309, Schools are required to accurately report enrollment information under the Direct Loan program via the NSLDS. Enrollment status changes for students should be reported to NSLDS within 30 days, or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the effective change in status, or the date of determination if the date of determination was determined after the withdrawal date. At a minimum, schools are required to certify enrollment every 60 days. The NSLDS Enrollment Reporting Guide further states that the information that is reported to the Department of Education should be accurate and timely. Per the NSLDS Enrollment Reporting Guide section 4.4.3, when a student withdraws during a term, the effective date for the withdrawn status is the withdrawal date used by the institution. In the case of a student who completes a term does not return for the next term, leaving the course of study uncompleted, the effective date of the withdrawn status is the final day of the term in which the student was last enrolled. The effective date for graduation status is the date that the school assigns to the completion/graduation. Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure enrollment reporting is completed properly. Condition: During our testing of students that were disbursed financial aid during the 2022-2023 school year, there were 13 instances of students that withdrew or graduated during and after the Spring 2023 semester that were not reflected in the NSLDS within 60 days. RSM observed through Empower (student portal) and other internal reports (including transcripts) that these students should have shown statuses of graduated/withdrawn on their NSLDS reports as of the audit period. Additionally, we noted that the NSLDS report showed three students who withdrew from the College but the NSLDS reflected an incorrect Enrollment Effective date for both campus-level and program-level, as the students withdrew during March and April of the Spring 2023 semester but the campus-level enrollment effective date listed on the NSLDS report was May 5, 2023 (the last day of the Spring 2023 semester) while the program-level enrollment effective date listed was December 16, 2022. Cause: The institution did not properly report the Spring 2023 students with enrollment status changes to the Clearinghouse/NSLDS by leaving out the program level information, which created error codes that were not properly addressed by the institution. The dates reported for the three student withdraws was not correctly documented. Effect: The administration of the Title IV program depends heavily on the accuracy and timeliness of the enrollment information reported by institutions. Without accurate and timely NSLDS reporting there is a diminished ability for the Department of Education to properly administer the program. Context: 13 of the 13 status changes tested. In accordance with the OMB Compliance Supplement, our sample did not include any enrollment reporting data due from July 19, 2022 through February 28, 2023 in our evaluation of the enrollment reporting requirements due to the NSLDS system modernization. Our sample was not statistically valid. Questioned Costs: None. Repeat Finding: No. Recommendation: Management should review the controls and procedures in place to verify that accurate, timely, and complete data is being submitted to NSLDS. This should include separation of the preparation of data and review and completion of the submission, as well as additional methods to help identify errors. Views of responsible officials: Management agrees with this finding. See corrective action plan.