FAC Explorer

Audit 294999

FY End
2023-06-30
Total Expended
$6.77M
Findings
18
Programs
6
Organization: Corban University (OR)
Year: 2023 Accepted: 2024-03-13
Auditor: Capincrouse LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
375939 2023-001 Material Weakness - N
375940 2023-001 Material Weakness - N
375941 2023-002 Significant Deficiency - N
375942 2023-002 Significant Deficiency - N
375943 2023-002 Significant Deficiency - N
375944 2023-002 Significant Deficiency - N
375945 2023-002 Significant Deficiency - N
375946 2023-002 Significant Deficiency - N
375947 2023-003 - - L
952381 2023-001 Material Weakness - N
952382 2023-001 Material Weakness - N
952383 2023-002 Significant Deficiency - N
952384 2023-002 Significant Deficiency - N
952385 2023-002 Significant Deficiency - N
952386 2023-002 Significant Deficiency - N
952387 2023-002 Significant Deficiency - N
952388 2023-002 Significant Deficiency - N
952389 2023-003 - - L

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $4.80M Yes 2
84.063 Federal Pell Grant Program $1.24M Yes 2
84.038 Federal Perkins Loan Program $523,575 Yes 2
84.007 Federal Supplemental Educational Opportunity Grants $83,305 Yes 1
84.033 Federal Work-Study Program $75,368 Yes 1
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $49,036 Yes 1

Contacts

Name Title Type
D4WFRK6LUJ33 Ellen Zarfas Auditee
5033757106 Tammara Williamson, CPA Auditor
No contacts on file

Notes to SEFA

Title: RELATIONSHIP TO FINANCIAL STATEMENTS Accounting Policies: The accompanying schedule of expenditures of federal awards (the schedule) includes the federal grant activity of Corban University (University) under programs of the federal government for the year ending June 30, 2023. The information in the schedule is presented in accordance with the requirements of the Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Therefore, some amounts presented in the schedule may differ from amounts presented in, or used in the preparation of, the basic financial statements. Expenditures in the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. If the University is required to match certain federal assistance, as defined by the grant agreements, no such matching has been included as expenditures in the schedule. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate See the Notes to the SEFA for chart/table
Title: SUBRECIPIENTS, NON-CASH ASSISTANCE, FEDERAL INSURANCE, LOANS, AND LOAN GUARANTEES Accounting Policies: The accompanying schedule of expenditures of federal awards (the schedule) includes the federal grant activity of Corban University (University) under programs of the federal government for the year ending June 30, 2023. The information in the schedule is presented in accordance with the requirements of the Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Therefore, some amounts presented in the schedule may differ from amounts presented in, or used in the preparation of, the basic financial statements. Expenditures in the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. If the University is required to match certain federal assistance, as defined by the grant agreements, no such matching has been included as expenditures in the schedule. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate The University did not provide any federal funds to subrecipients nor did they receive any federal non-cash assistance, insurance, loans, or loan guarantees.
Title: FEDERAL PERKINS LOAN PROGRAM Accounting Policies: The accompanying schedule of expenditures of federal awards (the schedule) includes the federal grant activity of Corban University (University) under programs of the federal government for the year ending June 30, 2023. The information in the schedule is presented in accordance with the requirements of the Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Therefore, some amounts presented in the schedule may differ from amounts presented in, or used in the preparation of, the basic financial statements. Expenditures in the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. If the University is required to match certain federal assistance, as defined by the grant agreements, no such matching has been included as expenditures in the schedule. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate See the Notes to the SEFA for chart/table

Finding Details

Finding 2023-001
Inaccurate Return of Title IV Funds (R2T4)Material Weakness DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063 Federal Award Identification #: 2022-2023 Financial Aid Year Condition: For nontraditional student withdrawals, the University did not always calculate unearned Title IV funds correctly. Criteria: 34 CFR 668.22 Questioned Costs: $5,226 Context: Out of 5 students, 3 students who withdrew during the audit period tested had incorrect R2T4 calculations. All 3 modular students did not have R2T4 calculations performed correctly due to an incorrect evaluation of the total days in the students’ payment periods. For 2 of the students who unofficially withdrew, the University did not include both modules in the payment period, resulting in $5,226 of Federal Direct Loans (FDL) that should have been returned but were not. These were corrected during the audit process. For 1 student who officially withdrew, the wrong start and end dates were used causing the total days to be incorrect, resulting in $2,149 more FDL returned than required. Cause: This was an oversight by the University due to the complexity of modular withdrawal rules. Effect: Incorrect amounts of federal funding were returned. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend that an individual in financial aid with the appropriate level of experience periodically review modular students’ R2T4 calculations and returns to help ensure that internal controls over such process can operate effectively and achieve compliance. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-001
Inaccurate Return of Title IV Funds (R2T4)Material Weakness DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063 Federal Award Identification #: 2022-2023 Financial Aid Year Condition: For nontraditional student withdrawals, the University did not always calculate unearned Title IV funds correctly. Criteria: 34 CFR 668.22 Questioned Costs: $5,226 Context: Out of 5 students, 3 students who withdrew during the audit period tested had incorrect R2T4 calculations. All 3 modular students did not have R2T4 calculations performed correctly due to an incorrect evaluation of the total days in the students’ payment periods. For 2 of the students who unofficially withdrew, the University did not include both modules in the payment period, resulting in $5,226 of Federal Direct Loans (FDL) that should have been returned but were not. These were corrected during the audit process. For 1 student who officially withdrew, the wrong start and end dates were used causing the total days to be incorrect, resulting in $2,149 more FDL returned than required. Cause: This was an oversight by the University due to the complexity of modular withdrawal rules. Effect: Incorrect amounts of federal funding were returned. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend that an individual in financial aid with the appropriate level of experience periodically review modular students’ R2T4 calculations and returns to help ensure that internal controls over such process can operate effectively and achieve compliance. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-003
FISAP Reporting DEPARTMENT OF EDUCATION ALN #: 84.038 Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not accurately report certain items relating to Perkins Loan reporting on the FISAP report. Additionally, the same individual prepares and reviews the FISAP submission. Criteria: 34 CFR 668.24(e) Questioned Costs: $0 Context: The University did not properly report Perkins Federal Capital Contribution (FCC) and Institutional Capital Contribution (ICC) information on the 2022-2023 FISAP report. Cause: Cumulative impact of reporting incorrect excess cash returned. Effect: The University returned more cash to the Department of Education than required. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend the University work with the Department of Education to correct errors in the Perkins portion of the FISAP. Additionally, we recommend that prior to submission, the FISAP be reviewed by a knowledgeable individual independent of the individual who prepares the FISAP. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-001
Inaccurate Return of Title IV Funds (R2T4)Material Weakness DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063 Federal Award Identification #: 2022-2023 Financial Aid Year Condition: For nontraditional student withdrawals, the University did not always calculate unearned Title IV funds correctly. Criteria: 34 CFR 668.22 Questioned Costs: $5,226 Context: Out of 5 students, 3 students who withdrew during the audit period tested had incorrect R2T4 calculations. All 3 modular students did not have R2T4 calculations performed correctly due to an incorrect evaluation of the total days in the students’ payment periods. For 2 of the students who unofficially withdrew, the University did not include both modules in the payment period, resulting in $5,226 of Federal Direct Loans (FDL) that should have been returned but were not. These were corrected during the audit process. For 1 student who officially withdrew, the wrong start and end dates were used causing the total days to be incorrect, resulting in $2,149 more FDL returned than required. Cause: This was an oversight by the University due to the complexity of modular withdrawal rules. Effect: Incorrect amounts of federal funding were returned. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend that an individual in financial aid with the appropriate level of experience periodically review modular students’ R2T4 calculations and returns to help ensure that internal controls over such process can operate effectively and achieve compliance. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-001
Inaccurate Return of Title IV Funds (R2T4)Material Weakness DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063 Federal Award Identification #: 2022-2023 Financial Aid Year Condition: For nontraditional student withdrawals, the University did not always calculate unearned Title IV funds correctly. Criteria: 34 CFR 668.22 Questioned Costs: $5,226 Context: Out of 5 students, 3 students who withdrew during the audit period tested had incorrect R2T4 calculations. All 3 modular students did not have R2T4 calculations performed correctly due to an incorrect evaluation of the total days in the students’ payment periods. For 2 of the students who unofficially withdrew, the University did not include both modules in the payment period, resulting in $5,226 of Federal Direct Loans (FDL) that should have been returned but were not. These were corrected during the audit process. For 1 student who officially withdrew, the wrong start and end dates were used causing the total days to be incorrect, resulting in $2,149 more FDL returned than required. Cause: This was an oversight by the University due to the complexity of modular withdrawal rules. Effect: Incorrect amounts of federal funding were returned. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend that an individual in financial aid with the appropriate level of experience periodically review modular students’ R2T4 calculations and returns to help ensure that internal controls over such process can operate effectively and achieve compliance. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-002
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board. Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.
Finding 2023-003
FISAP Reporting DEPARTMENT OF EDUCATION ALN #: 84.038 Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not accurately report certain items relating to Perkins Loan reporting on the FISAP report. Additionally, the same individual prepares and reviews the FISAP submission. Criteria: 34 CFR 668.24(e) Questioned Costs: $0 Context: The University did not properly report Perkins Federal Capital Contribution (FCC) and Institutional Capital Contribution (ICC) information on the 2022-2023 FISAP report. Cause: Cumulative impact of reporting incorrect excess cash returned. Effect: The University returned more cash to the Department of Education than required. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend the University work with the Department of Education to correct errors in the Perkins portion of the FISAP. Additionally, we recommend that prior to submission, the FISAP be reviewed by a knowledgeable individual independent of the individual who prepares the FISAP. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.