FAC Explorer

Audit 293985

FY End
2023-06-30
Total Expended
$28.50M
Findings
26
Programs
8
Organization: Bethany College (KS)
Year: 2023 Accepted: 2024-03-07
Auditor: Rubinbrown LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
374382 2023-003 Significant Deficiency Yes N
374383 2023-003 Significant Deficiency Yes N
374384 2023-003 Significant Deficiency Yes N
374385 2023-003 Significant Deficiency Yes N
374386 2023-003 Significant Deficiency Yes N
374387 2023-003 Significant Deficiency Yes N
374388 2023-004 Significant Deficiency - E
374389 2023-005 Significant Deficiency - N
374390 2023-005 Significant Deficiency - N
374391 2023-005 Significant Deficiency - N
374392 2023-005 Significant Deficiency - N
374393 2023-005 Significant Deficiency - N
374394 2023-005 Significant Deficiency - N
950824 2023-003 Significant Deficiency Yes N
950825 2023-003 Significant Deficiency Yes N
950826 2023-003 Significant Deficiency Yes N
950827 2023-003 Significant Deficiency Yes N
950828 2023-003 Significant Deficiency Yes N
950829 2023-003 Significant Deficiency Yes N
950830 2023-004 Significant Deficiency - E
950831 2023-005 Significant Deficiency - N
950832 2023-005 Significant Deficiency - N
950833 2023-005 Significant Deficiency - N
950834 2023-005 Significant Deficiency - N
950835 2023-005 Significant Deficiency - N
950836 2023-005 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
10.766 Community Facilities Loans and Grants $19.99M Yes 0
84.268 Federal Direct Student Loans $5.41M Yes 3
84.063 Federal Pell Grant Program $1.65M Yes 2
84.038 Federal Perkins Loan Program $795,039 Yes 2
21.027 Coronavirus State and Local Fiscal Recovery Funds $418,974 - 0
84.007 Federal Supplemental Educational Opportunity Grants $135,583 Yes 2
84.033 Federal Work-Study Program $80,120 Yes 2
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $18,860 Yes 2

Contacts

Name Title Type
MCHHM98PRN95 Steven Eckman Auditee
7852273380 Kaleb Lilly Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the ten percent de minimis indirect cost rate as allowed under the Uniform Guidance. The Schedule of Expenditures of Federal Awards (the Schedule) includes the federal grant activity of Bethany College (the College) under programs of the federal government for the year ended June 30, 2023. The information in the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal AAwards (the Uniform Guidance). Because the Schedule presents only a selected portio nof the operations of the College, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the College.
Title: Heightened Cash Monitoring Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the ten percent de minimis indirect cost rate as allowed under the Uniform Guidance. As a part of our audit procedures, we have tested the College’s compliance with their administration of the heightened cash monitoring payment method and notification requirements as required by the Department of Education for the year ended June 30, 2023. We noted no noncompliance with the requirements for heightened cash monitoring.
Title: Loan Programs Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the ten percent de minimis indirect cost rate as allowed under the Uniform Guidance. The federal loan programs listed below are administered directly by the College and the balances and transactions relating to this program are included in the College's basic financial statements. Loans outstanding at the beginning of the year are included in the federal expenditures presented in the Schedule. The balance of loans outstanding at June 30, 2023, consists of: "See the Notes to the SEFA for chart/table"
Title: Subrecipients Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the ten percent de minimis indirect cost rate as allowed under the Uniform Guidance. No federal awards were provided to subrecipients.

Finding Details

Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-004
Finding 2023-004 - Significant Deficiency, Compliance Federal Award No. 84.268 U.S. Department Of Education Student Financial Aid Cluster – Eligibility Criteria: According to the 2022-2023 Student Financial Aid Handbook, the College is required to award subsidized loans up to the maximum amount available for each student for a given year based on the student’s need analysis and aggregate borrowing history before the College awards unsubsidized loans. Condition: In our nonstatistical sample of 40 students, we noted 2 students who were awarded unsubsidized loans instead of subsidized loans when the student had remaining subsidized loan eligibility in the 2022-23 academic year. Context: Both students that were underawarded subsidized loans and overawarded unsubsidized loans were initially capped on the total amount of federal direct loans that could be awarded to the students based on the students’ need analysis and aggregate loan limits. When packaging the loans, the student financial aid staff erroneously awarded portions of the loan awards as direct unsubsidized loans instead of subsidized loan awards. For both students the total amount of loan awards was proper and the student was not overawarded or underawarded overall. One student was overawarded unsubsidized loans and underawarded subsidized loans in the amount of $5,000 and the other student was overawarded unsubsidized loans and underawarded subsidized loans in the amount of $1,500. Effect: Students are charged interest on unsubsidized loans while enrolled at least half-time at higher education institutions, whereas students are not charged interest on subsidized loans. Therefore, the students were charged approximately $188 and $75, respectively in interest that the students should not have incurred if the loans were awarded properly. Questioned Costs: $263 additional interest costs incurred by students Cause: Bethany College did not have proper processes and related controls in place to ensure that awards were packaged appropriately for circumstances where a student’s loan eligibility was limited by the need analysis calculation or by aggregate loan limits. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The Financial Aid department should put in place controls that would ensure that all loans are properly awarded including additional review of loan awards that are made as a result of adjustments needed to a student’s loan award to accommodate an annual or aggregate limit. Views Of Responsible Officials (Unaudited): The College concurs with the finding and has reviewed and where appropriate made updates to the processes used to package loans when there is an annual or aggregate loan limit reached. Completion Date: August 2023 Contact Person: Haley Wesley, Vice President of Enrollment Management & Marketing
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-003
Finding 2023-003 - Significant Deficiency, Compliance Federal Award No. 84.007, 84.033, 84.038, 84.063, 84.268, 84.379 U.S. Department Of Education Student Financial Aid Cluster – Special Tests and Provisions Criteria: In accordance with Federal Regulations 34 CFR 668.171, an institution administering Federal Student Financial Aid must obtain a minimum composite score of 1.5 to fulfill the requirements of financial responsibility and be above 1.0 to be considered for “Zone Alternative” treatment. Condition: For the year under audit, the College’s financial responsibility composite score will fail to meet the numeric standard of responsibility as set by the Department of Education (ED). However, when an institution cannot meet the criteria for financial responsibility through the composite score, ED provides other ways to comply with this standard. One way the College can comply with this standard is by obtaining an irrevocable letter of credit from a bank. In addition, the College must make Federal Student Financial Aid disbursements under the heightened cash monitoring method described in 34 CFR 668.162. Context: The College’s ED financial responsibility composite was between 1.0 and 1.5 in the past three fiscal years. The College has not been able to bring its score above 1.5, therefore will continue to have to obtain a letter of credit and follow heightened cash monitoring procedures. Effect: The College will have to obtain a letter of credit and follow heightened cash monitoring procedures. Additionally, the College may be required to provide further documentation of its financial plans and progress to accreditation agencies in which it may seek accreditation through. Questioned Costs: None noted. Cause: Bethany College does not have proper processes and related controls in place to ensure that the required financial responsibility composite score does not fall below 1.5. Indication Of Repeat Finding: This is a repeat of a finding in the immediately prior year; see Summary Schedule of Prior Audit Findings 2022-001. Recommendation: We recommend that the College implement controls and processes for monitoring budgets that include all expenses including non-cash transactions in order to adequately anticipate the revenue needed to cover the expenses of the College. We recommend that the College evaluate all of its cost centers and revenue streams to ensure that the College is maximizing fiscal efficiency while still achieving the mission of the College. Views Of Responsible Officials (Unaudited): The College has obtained the required letter of credit from a local bank and will comply with federal heightened cash monitoring requirements. The College continues to work to positively align revenues and expenses. The College regularly monitors its cash flows and expense budgets both for timing and savings. Efforts continue to increase net student revenues to reduce the need for current-year contributions and other income for operating expenses. The College will continue to carefully plan and manage institutional financial aid to yield stronger net student revenues to support operations. Anticipated Completion Date: August 2024 Contact Person: Steven W. Eckman, President
Finding 2023-004
Finding 2023-004 - Significant Deficiency, Compliance Federal Award No. 84.268 U.S. Department Of Education Student Financial Aid Cluster – Eligibility Criteria: According to the 2022-2023 Student Financial Aid Handbook, the College is required to award subsidized loans up to the maximum amount available for each student for a given year based on the student’s need analysis and aggregate borrowing history before the College awards unsubsidized loans. Condition: In our nonstatistical sample of 40 students, we noted 2 students who were awarded unsubsidized loans instead of subsidized loans when the student had remaining subsidized loan eligibility in the 2022-23 academic year. Context: Both students that were underawarded subsidized loans and overawarded unsubsidized loans were initially capped on the total amount of federal direct loans that could be awarded to the students based on the students’ need analysis and aggregate loan limits. When packaging the loans, the student financial aid staff erroneously awarded portions of the loan awards as direct unsubsidized loans instead of subsidized loan awards. For both students the total amount of loan awards was proper and the student was not overawarded or underawarded overall. One student was overawarded unsubsidized loans and underawarded subsidized loans in the amount of $5,000 and the other student was overawarded unsubsidized loans and underawarded subsidized loans in the amount of $1,500. Effect: Students are charged interest on unsubsidized loans while enrolled at least half-time at higher education institutions, whereas students are not charged interest on subsidized loans. Therefore, the students were charged approximately $188 and $75, respectively in interest that the students should not have incurred if the loans were awarded properly. Questioned Costs: $263 additional interest costs incurred by students Cause: Bethany College did not have proper processes and related controls in place to ensure that awards were packaged appropriately for circumstances where a student’s loan eligibility was limited by the need analysis calculation or by aggregate loan limits. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The Financial Aid department should put in place controls that would ensure that all loans are properly awarded including additional review of loan awards that are made as a result of adjustments needed to a student’s loan award to accommodate an annual or aggregate limit. Views Of Responsible Officials (Unaudited): The College concurs with the finding and has reviewed and where appropriate made updates to the processes used to package loans when there is an annual or aggregate loan limit reached. Completion Date: August 2023 Contact Person: Haley Wesley, Vice President of Enrollment Management & Marketing
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology
Finding 2023-005
Finding 2023-005 - Significant Deficiency, Compliance Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038 U.S. Department Of Education Student Financial Aid Cluster - Special Tests and Provisions Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented: • Implement and periodically review access controls • Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted • Encrypt customer information on the institution’s system and when it’s in transit. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Dispose of customer information securely • Anticipate and evaluate changes to the information system or network • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program. Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023. Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program. Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks. Questioned Costs: None noted. Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule. Indication Of Repeat Finding: This is not a repeat finding. Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule. Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program. Completion Date: Spring 2024 Contact Person: Joshua Bieber, Director of Information Technology