2023-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and material weakness in internal control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately and timely reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk.
Statement of Condition: Management implemented controls that specifically addressed the circumstances surrounding prior year finding 2022-001. Management's review of the enrollment reporting did not detect other errors on certain student data elements or timely reporting. Certain student records within the NSLDS were identified with inaccurate data elements and not timely reported.
Questioned Costs: Questioned costs could not be determined.
Context: 10 students were identified with inaccurate data elements and not timely reported out of a total of 25 students tested.
Cause: The Institute’s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's effective date and status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk.
Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute’s internal controls over compliance did not detect and correct the errors.
Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting.
Management’s Response: Management agrees with the finding. Through internal investigation, it was determined that there was a procedural issue with the manual entry of two date fields which both need to be the same when submitted to National Student Clearinghouse (NSC). Human error during these manual checks caused one data field to be correct, and the other incorrect. This error has been fixed so that both fields will always be the same and accurate.
The Institute has also updated our enrollment reporting procedures to have the registrar log into NSLDS monthly to confirm that the prior month NSC status changes are properly recorded in NSLDS.
2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b).
Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b).
Questioned Costs: Questioned costs could not be determined.
Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b).
Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act.
Effect: The Institute has no documented policy and the related safeguards for each risk identified.
Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis.
Management’s Response: Management agrees with the finding. The Institute is currently developing a comprehensive cyber-security policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. The Institute is now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. The Institute has contracted with a planning team at CDW to determine best practices and perform training. The Institute has begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board.
2023-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and material weakness in internal control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately and timely reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk.
Statement of Condition: Management implemented controls that specifically addressed the circumstances surrounding prior year finding 2022-001. Management's review of the enrollment reporting did not detect other errors on certain student data elements or timely reporting. Certain student records within the NSLDS were identified with inaccurate data elements and not timely reported.
Questioned Costs: Questioned costs could not be determined.
Context: 10 students were identified with inaccurate data elements and not timely reported out of a total of 25 students tested.
Cause: The Institute’s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's effective date and status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk.
Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute’s internal controls over compliance did not detect and correct the errors.
Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting.
Management’s Response: Management agrees with the finding. Through internal investigation, it was determined that there was a procedural issue with the manual entry of two date fields which both need to be the same when submitted to National Student Clearinghouse (NSC). Human error during these manual checks caused one data field to be correct, and the other incorrect. This error has been fixed so that both fields will always be the same and accurate.
The Institute has also updated our enrollment reporting procedures to have the registrar log into NSLDS monthly to confirm that the prior month NSC status changes are properly recorded in NSLDS.
2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b).
Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b).
Questioned Costs: Questioned costs could not be determined.
Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b).
Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act.
Effect: The Institute has no documented policy and the related safeguards for each risk identified.
Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis.
Management’s Response: Management agrees with the finding. The Institute is currently developing a comprehensive cyber-security policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. The Institute is now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. The Institute has contracted with a planning team at CDW to determine best practices and perform training. The Institute has begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board.
2023-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and material weakness in internal control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately and timely reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk.
Statement of Condition: Management implemented controls that specifically addressed the circumstances surrounding prior year finding 2022-001. Management's review of the enrollment reporting did not detect other errors on certain student data elements or timely reporting. Certain student records within the NSLDS were identified with inaccurate data elements and not timely reported.
Questioned Costs: Questioned costs could not be determined.
Context: 10 students were identified with inaccurate data elements and not timely reported out of a total of 25 students tested.
Cause: The Institute’s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's effective date and status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk.
Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute’s internal controls over compliance did not detect and correct the errors.
Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting.
Management’s Response: Management agrees with the finding. Through internal investigation, it was determined that there was a procedural issue with the manual entry of two date fields which both need to be the same when submitted to National Student Clearinghouse (NSC). Human error during these manual checks caused one data field to be correct, and the other incorrect. This error has been fixed so that both fields will always be the same and accurate.
The Institute has also updated our enrollment reporting procedures to have the registrar log into NSLDS monthly to confirm that the prior month NSC status changes are properly recorded in NSLDS.
2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b).
Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b).
Questioned Costs: Questioned costs could not be determined.
Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b).
Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act.
Effect: The Institute has no documented policy and the related safeguards for each risk identified.
Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis.
Management’s Response: Management agrees with the finding. The Institute is currently developing a comprehensive cyber-security policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. The Institute is now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. The Institute has contracted with a planning team at CDW to determine best practices and perform training. The Institute has begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board.
2023-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and material weakness in internal control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately and timely reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk.
Statement of Condition: Management implemented controls that specifically addressed the circumstances surrounding prior year finding 2022-001. Management's review of the enrollment reporting did not detect other errors on certain student data elements or timely reporting. Certain student records within the NSLDS were identified with inaccurate data elements and not timely reported.
Questioned Costs: Questioned costs could not be determined.
Context: 10 students were identified with inaccurate data elements and not timely reported out of a total of 25 students tested.
Cause: The Institute’s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's effective date and status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk.
Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute’s internal controls over compliance did not detect and correct the errors.
Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting.
Management’s Response: Management agrees with the finding. Through internal investigation, it was determined that there was a procedural issue with the manual entry of two date fields which both need to be the same when submitted to National Student Clearinghouse (NSC). Human error during these manual checks caused one data field to be correct, and the other incorrect. This error has been fixed so that both fields will always be the same and accurate.
The Institute has also updated our enrollment reporting procedures to have the registrar log into NSLDS monthly to confirm that the prior month NSC status changes are properly recorded in NSLDS.
2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b).
Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b).
Questioned Costs: Questioned costs could not be determined.
Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b).
Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act.
Effect: The Institute has no documented policy and the related safeguards for each risk identified.
Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis.
Management’s Response: Management agrees with the finding. The Institute is currently developing a comprehensive cyber-security policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. The Institute is now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. The Institute has contracted with a planning team at CDW to determine best practices and perform training. The Institute has begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board.
2023-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and material weakness in internal control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately and timely reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk.
Statement of Condition: Management implemented controls that specifically addressed the circumstances surrounding prior year finding 2022-001. Management's review of the enrollment reporting did not detect other errors on certain student data elements or timely reporting. Certain student records within the NSLDS were identified with inaccurate data elements and not timely reported.
Questioned Costs: Questioned costs could not be determined.
Context: 10 students were identified with inaccurate data elements and not timely reported out of a total of 25 students tested.
Cause: The Institute’s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's effective date and status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk.
Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute’s internal controls over compliance did not detect and correct the errors.
Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting.
Management’s Response: Management agrees with the finding. Through internal investigation, it was determined that there was a procedural issue with the manual entry of two date fields which both need to be the same when submitted to National Student Clearinghouse (NSC). Human error during these manual checks caused one data field to be correct, and the other incorrect. This error has been fixed so that both fields will always be the same and accurate.
The Institute has also updated our enrollment reporting procedures to have the registrar log into NSLDS monthly to confirm that the prior month NSC status changes are properly recorded in NSLDS.
2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b).
Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b).
Questioned Costs: Questioned costs could not be determined.
Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b).
Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act.
Effect: The Institute has no documented policy and the related safeguards for each risk identified.
Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis.
Management’s Response: Management agrees with the finding. The Institute is currently developing a comprehensive cyber-security policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. The Institute is now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. The Institute has contracted with a planning team at CDW to determine best practices and perform training. The Institute has begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board.
2023-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and material weakness in internal control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately and timely reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk.
Statement of Condition: Management implemented controls that specifically addressed the circumstances surrounding prior year finding 2022-001. Management's review of the enrollment reporting did not detect other errors on certain student data elements or timely reporting. Certain student records within the NSLDS were identified with inaccurate data elements and not timely reported.
Questioned Costs: Questioned costs could not be determined.
Context: 10 students were identified with inaccurate data elements and not timely reported out of a total of 25 students tested.
Cause: The Institute’s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's effective date and status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk.
Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute’s internal controls over compliance did not detect and correct the errors.
Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting.
Management’s Response: Management agrees with the finding. Through internal investigation, it was determined that there was a procedural issue with the manual entry of two date fields which both need to be the same when submitted to National Student Clearinghouse (NSC). Human error during these manual checks caused one data field to be correct, and the other incorrect. This error has been fixed so that both fields will always be the same and accurate.
The Institute has also updated our enrollment reporting procedures to have the registrar log into NSLDS monthly to confirm that the prior month NSC status changes are properly recorded in NSLDS.
2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b).
Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b).
Questioned Costs: Questioned costs could not be determined.
Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b).
Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act.
Effect: The Institute has no documented policy and the related safeguards for each risk identified.
Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis.
Management’s Response: Management agrees with the finding. The Institute is currently developing a comprehensive cyber-security policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. The Institute is now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. The Institute has contracted with a planning team at CDW to determine best practices and perform training. The Institute has begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board.
2023-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and material weakness in internal control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately and timely reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk.
Statement of Condition: Management implemented controls that specifically addressed the circumstances surrounding prior year finding 2022-001. Management's review of the enrollment reporting did not detect other errors on certain student data elements or timely reporting. Certain student records within the NSLDS were identified with inaccurate data elements and not timely reported.
Questioned Costs: Questioned costs could not be determined.
Context: 10 students were identified with inaccurate data elements and not timely reported out of a total of 25 students tested.
Cause: The Institute’s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's effective date and status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk.
Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute’s internal controls over compliance did not detect and correct the errors.
Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting.
Management’s Response: Management agrees with the finding. Through internal investigation, it was determined that there was a procedural issue with the manual entry of two date fields which both need to be the same when submitted to National Student Clearinghouse (NSC). Human error during these manual checks caused one data field to be correct, and the other incorrect. This error has been fixed so that both fields will always be the same and accurate.
The Institute has also updated our enrollment reporting procedures to have the registrar log into NSLDS monthly to confirm that the prior month NSC status changes are properly recorded in NSLDS.
2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b).
Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b).
Questioned Costs: Questioned costs could not be determined.
Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b).
Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act.
Effect: The Institute has no documented policy and the related safeguards for each risk identified.
Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis.
Management’s Response: Management agrees with the finding. The Institute is currently developing a comprehensive cyber-security policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. The Institute is now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. The Institute has contracted with a planning team at CDW to determine best practices and perform training. The Institute has begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board.
2023-001 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and material weakness in internal control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for accurately and timely reporting significant data elements under the Campus-Level and Program-Level records within the National Student Loan Data System (NSLDS) that DOE considers high risk.
Statement of Condition: Management implemented controls that specifically addressed the circumstances surrounding prior year finding 2022-001. Management's review of the enrollment reporting did not detect other errors on certain student data elements or timely reporting. Certain student records within the NSLDS were identified with inaccurate data elements and not timely reported.
Questioned Costs: Questioned costs could not be determined.
Context: 10 students were identified with inaccurate data elements and not timely reported out of a total of 25 students tested.
Cause: The Institute’s internal control over compliance did not detect and correct the errors. The preparer incorrectly input the student's effective date and status into NSLDS resulting in inaccuracies in significant Campus-Level and Program-Level enrollment data elements that DOE considers high risk.
Effect: The Institute incorrectly reported certain Campus-Level and Program-Level records in NSLDS which is information that DOE considers high risk and the Institute’s internal controls over compliance did not detect and correct the errors.
Recommendation: We recommend management review policies and procedures surrounding enrollment reporting submissions to ensure the accuracy of data elements reported to DOE. A review performed by an appropriate individual separate from the preparer prior to the submission of the enrollment reports to NSLDS may improve the accuracy of enrollment reporting.
Management’s Response: Management agrees with the finding. Through internal investigation, it was determined that there was a procedural issue with the manual entry of two date fields which both need to be the same when submitted to National Student Clearinghouse (NSC). Human error during these manual checks caused one data field to be correct, and the other incorrect. This error has been fixed so that both fields will always be the same and accurate.
The Institute has also updated our enrollment reporting procedures to have the registrar log into NSLDS monthly to confirm that the prior month NSC status changes are properly recorded in NSLDS.
2023-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster.
Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests.
Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b).
Statement of Condition: The Institute performed a risk assessment however the safeguards for the risks identified were not formally documented through a policy. A formal policy was not reviewed in fiscal year 2023 which would have addressed required areas noted in 16 CFR 314.4 (b).
Questioned Costs: Questioned costs could not be determined.
Context: A policy and documentation linking the safeguards to the risk assessment was not formally written. The internal controls over compliance at the Institute did not identify the noncompliance. However, the Institute performed risk assessments and has appropriate safeguards for each area identified within 16 CFR 314.4(b).
Cause: The Institute did not have internal controls in place to identify the need for the policy documenting the safeguards required by the Gramm-Leach-Bliley Act.
Effect: The Institute has no documented policy and the related safeguards for each risk identified.
Recommendation: We recommend management review 16 CFR 314.4 (b) to create a policy that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This policy should be formalized and reviewed annually. We recommend that the Institute document the approval and acceptance of the policy. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis.
Management’s Response: Management agrees with the finding. The Institute is currently developing a comprehensive cyber-security policy to address 16 CFR 314.4 (b), which will be formalized, approved by Senior Staff, and reviewed annually. The Institute is now conducting annual penetration tests, the most recent in December 2023, to address internal control processes. The Institute has contracted with a planning team at CDW to determine best practices and perform training. The Institute has begun providing a quarterly GLBA Compliance update to our board, with an annual comprehensive GLBA review to the board.