Program: Federal Direct Student Loans
Assistance Listing Number: 84.268
Federal Agency: U.S. Department of Education
Federal Award Identification Number: P268K236290
Federal Award Year: June 30, 2023
Criteria: In accordance with Title IV regulations (16 CFR 314), an Institution must protect student financial aid information by designating a Qualified Individual responsible for implementing and monitoring the Institution's information security program. In addition, the Institution's information security program must be written and address these six required minimum elements: (1) provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, (2) provides for the design and implementation of safeguards to control the risks the Institution identifies through its risk assessment, (3) provides for the Institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented, (4) provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program, (5) addresses how the Institution will oversee its information system service providers, and (6) provides for the evaluation and adjustment of its information security program in light of the results of the requested testing and monitoring or any other circumstances that it knows or has reason to know may have a material impact on the Institution's information security program.
Condition: The University has not designated a Qualified Individual responsible for implementing and monitoring the University's information security program, nor does the University have a written information security program that addresses the six required minimum elements as required by the Gramm-Leach Bliley Act (GLBA).
Questioned Costs: Not applicable.
Context: Not applicable
Effect: Failure to comply with the requirements of the GLBA's standards puts the University at risk of compromising consumer, nonpublic personal information, which could result in penalties ranging from monetary fines to restriction or loss of eligibility for Title IV funding.
Cause: There was turnover in the Qualified Individual position who is responsible for implementing and monitoring the University's information security program.
Recommendation: The University should designate a Qualified Individual responsible for implementing and monitoring the University's information security program. Additionally, the University should create and implement an information security program that addresses the six required minimum elements as required by the GLBA.
Management's Response: At the time that we replied to the question, our former Qualified Individual responsible for implementing and monitoring the Institution's information security program had left the organization a month previously. Upon reflecting on the significance of this position, I have elevated this role to a higher priority in the organization and named Darrin Burns, Director of ERP and IT, as Fielding’s Qualified Individual. In collaboration with Darrin and CIO Solutions, our MSP, we will draft the written information security program using the cybersecurity assessment results and recommendations as a starting point. In addition, we will ensure that the final document will include all six required minimum elements per Title IV regulations (16 CFR 314). The expected date of completion is April 1, and implementation will follow immediately afterward.
Program: COVID-19 - Education Stabilization Fund
Assistance Listing Number: 84.425
Federal Agency: U.S. Department of Education
Federal Award Identification Number: P425E203029, P425F200396, P425N200726
Federal Award Year: June 30, 2023
Repeat of prior year finding 2022-002.
Criteria: The CARES Act 18004(e) and the CRRSAA 314(e) requires an institution receiving funds under HEERF I and HEERF II to submit a report to the secretary, at such time in such a manner as the secretary may require. While ARP does not explicitly identify procedures by which institutions must report on their uses of HEERF grant funds, the Department of Education (ED) exercises this reporting authority under 2 CFR section 200.328 and 2 CFR section 200.329.
Condition: For the annual report covering January 1, 2022 through December 31, 2022, the indirect cost recovery/facility and administrative costs charged on the grants of the section (a)(1) institutional portion were incorrect based on supporting documentation provided by the University. In addition, for the fourth quarter 2022 (quarter ending December 31, 2022) and the first quarter 2023 (quarter ending March 31, 2023) institutional portion reports, the University reported the full amount of section (a)(1) student portion of HEERF awarded to the University on the section (a)(3) line instead of the section (a)(1) student funds awarded line, when the amount on the section (a)(3) line should have been the total Fund for the Improvement of Postsecondary Education (FIPSE) funding awarded to the University. Also, the first quarter 2023 (quarter ending March 31, 2023) institutional portion report was submitted to the Department of Education and uploaded to the University's website more than 10 days after the end of the quarter.
Questioned Costs: Not applicable.
Context: Errors were noted in the one annual report and two quarterly institutional portion reports that were tested. The University was required to file one annual report and four quarterly institutional portion reports during the fiscal year. The sample was not considered statistically valid.
Effect: The information included on the publicly-available reports and reports submitted to federal agencies was not accurate.
Cause: The exceptions noted on the reports resulted from various factors, including misunderstanding of how reports were intended to be completed and not correcting reports for changes made to the underlying supporting documentation.
Recommendation: It is recommended that the guidance surrounding the preparation of the annual and quarterly reports be reviewed. In addition, the review of reports by someone who is not the original preparer of the reports should include a detailed tie out of numbers included on the reports to the University's supporting documentation.
Management's Response: The University has updated their procedure for preparing and reviewing the required reports and has established a team from the finance department to discuss issues that arise. The team will handle the identified discrepancies through their resolution. The team will meet at least monthly, and as requested by the Senior Accountant of Grants or the Director of Finance and Accounting (DFA). The team is receiving training on procedures, guidelines, and terminology to ensure accuracy on completed reports to ensure compliance.
The updated procedure is that the Senior Accountant of Grants will prepare the quarterly and annual reports based on data provided in the accounting system and from the Office of Financial Aid and assure that the reported data ties to the University’s records. The completed reports will be reviewed by the Director of Finance and Accounting. When needed, the finance team will meet to handle apparent discrepancies. Approved reports will be returned by the DFA to the Senior Accountant who will then post the reports for public viewing and submit a copy to the funder.
Program: Federal Direct Student Loans
Assistance Listing Number: 84.268
Federal Agency: U.S. Department of Education
Federal Award Identification Number: P268K236290
Federal Award Year: June 30, 2023
Criteria: In accordance with Title IV regulations (16 CFR 314), an Institution must protect student financial aid information by designating a Qualified Individual responsible for implementing and monitoring the Institution's information security program. In addition, the Institution's information security program must be written and address these six required minimum elements: (1) provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, (2) provides for the design and implementation of safeguards to control the risks the Institution identifies through its risk assessment, (3) provides for the Institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented, (4) provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program, (5) addresses how the Institution will oversee its information system service providers, and (6) provides for the evaluation and adjustment of its information security program in light of the results of the requested testing and monitoring or any other circumstances that it knows or has reason to know may have a material impact on the Institution's information security program.
Condition: The University has not designated a Qualified Individual responsible for implementing and monitoring the University's information security program, nor does the University have a written information security program that addresses the six required minimum elements as required by the Gramm-Leach Bliley Act (GLBA).
Questioned Costs: Not applicable.
Context: Not applicable
Effect: Failure to comply with the requirements of the GLBA's standards puts the University at risk of compromising consumer, nonpublic personal information, which could result in penalties ranging from monetary fines to restriction or loss of eligibility for Title IV funding.
Cause: There was turnover in the Qualified Individual position who is responsible for implementing and monitoring the University's information security program.
Recommendation: The University should designate a Qualified Individual responsible for implementing and monitoring the University's information security program. Additionally, the University should create and implement an information security program that addresses the six required minimum elements as required by the GLBA.
Management's Response: At the time that we replied to the question, our former Qualified Individual responsible for implementing and monitoring the Institution's information security program had left the organization a month previously. Upon reflecting on the significance of this position, I have elevated this role to a higher priority in the organization and named Darrin Burns, Director of ERP and IT, as Fielding’s Qualified Individual. In collaboration with Darrin and CIO Solutions, our MSP, we will draft the written information security program using the cybersecurity assessment results and recommendations as a starting point. In addition, we will ensure that the final document will include all six required minimum elements per Title IV regulations (16 CFR 314). The expected date of completion is April 1, and implementation will follow immediately afterward.
Program: COVID-19 - Education Stabilization Fund
Assistance Listing Number: 84.425
Federal Agency: U.S. Department of Education
Federal Award Identification Number: P425E203029, P425F200396, P425N200726
Federal Award Year: June 30, 2023
Repeat of prior year finding 2022-002.
Criteria: The CARES Act 18004(e) and the CRRSAA 314(e) requires an institution receiving funds under HEERF I and HEERF II to submit a report to the secretary, at such time in such a manner as the secretary may require. While ARP does not explicitly identify procedures by which institutions must report on their uses of HEERF grant funds, the Department of Education (ED) exercises this reporting authority under 2 CFR section 200.328 and 2 CFR section 200.329.
Condition: For the annual report covering January 1, 2022 through December 31, 2022, the indirect cost recovery/facility and administrative costs charged on the grants of the section (a)(1) institutional portion were incorrect based on supporting documentation provided by the University. In addition, for the fourth quarter 2022 (quarter ending December 31, 2022) and the first quarter 2023 (quarter ending March 31, 2023) institutional portion reports, the University reported the full amount of section (a)(1) student portion of HEERF awarded to the University on the section (a)(3) line instead of the section (a)(1) student funds awarded line, when the amount on the section (a)(3) line should have been the total Fund for the Improvement of Postsecondary Education (FIPSE) funding awarded to the University. Also, the first quarter 2023 (quarter ending March 31, 2023) institutional portion report was submitted to the Department of Education and uploaded to the University's website more than 10 days after the end of the quarter.
Questioned Costs: Not applicable.
Context: Errors were noted in the one annual report and two quarterly institutional portion reports that were tested. The University was required to file one annual report and four quarterly institutional portion reports during the fiscal year. The sample was not considered statistically valid.
Effect: The information included on the publicly-available reports and reports submitted to federal agencies was not accurate.
Cause: The exceptions noted on the reports resulted from various factors, including misunderstanding of how reports were intended to be completed and not correcting reports for changes made to the underlying supporting documentation.
Recommendation: It is recommended that the guidance surrounding the preparation of the annual and quarterly reports be reviewed. In addition, the review of reports by someone who is not the original preparer of the reports should include a detailed tie out of numbers included on the reports to the University's supporting documentation.
Management's Response: The University has updated their procedure for preparing and reviewing the required reports and has established a team from the finance department to discuss issues that arise. The team will handle the identified discrepancies through their resolution. The team will meet at least monthly, and as requested by the Senior Accountant of Grants or the Director of Finance and Accounting (DFA). The team is receiving training on procedures, guidelines, and terminology to ensure accuracy on completed reports to ensure compliance.
The updated procedure is that the Senior Accountant of Grants will prepare the quarterly and annual reports based on data provided in the accounting system and from the Office of Financial Aid and assure that the reported data ties to the University’s records. The completed reports will be reviewed by the Director of Finance and Accounting. When needed, the finance team will meet to handle apparent discrepancies. Approved reports will be returned by the DFA to the Senior Accountant who will then post the reports for public viewing and submit a copy to the funder.