FAC Explorer

Audit 296682

FY End
2023-06-30
Total Expended
$7.97M
Findings
12
Programs
9
Organization: Washington College (MD)
Year: 2023 Accepted: 2024-03-22
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
383645 2023-001 Material Weakness Yes N
383646 2023-002 Material Weakness - N
383647 2023-001 Material Weakness Yes N
383648 2023-001 Material Weakness Yes N
383649 2023-001 Material Weakness Yes N
383650 2023-002 Material Weakness - N
960087 2023-001 Material Weakness Yes N
960088 2023-002 Material Weakness - N
960089 2023-001 Material Weakness Yes N
960090 2023-001 Material Weakness Yes N
960091 2023-001 Material Weakness Yes N
960092 2023-002 Material Weakness - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $5.54M Yes 2
84.063 Federal Pell Grant Program $1.00M Yes 2
45.130 Promotion of the Humanities_challenge Grants $625,000 - 0
84.033 Federal Work-Study Program $183,096 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $133,972 Yes 1
66.466 Chesapeake Bay Program $92,953 - 0
20.616 National Priority Safety Programs $92,085 - 0
12.300 Basic and Applied Scientific Research $20,595 - 0
11.017 Ocean Acidification Program (oap) $3,211 - 0

Contacts

Name Title Type
PN2AXSW62L46 Teri Simmons Auditee
4107787224 Christina Bowman Auditor
No contacts on file

Notes to SEFA

Title: LOAN PROGRAMS Accounting Policies: BASIS OF PRESENTATION The accompanying Schedule of Expenditures of Federal Awards (the Schedule) includes the federal grant activity of Washington College (the College). The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). RELATIONSHIP TO BASIC FINANCIAL STATEMENTS The Schedule presents only a selected portion of the activities of the College. It is not intended to, and does not present either the financial position, changes in activities, or cash flows of the College. The financial activity for the aforementioned awards is reported in the College’s statement of activities. In certain programs, the expenditures reported in the basic financial statements may differ from the expenditures reported in the Schedule due to program expenditures exceeding grant or contract budget limitations which are not reported as expenditures in the Schedule. SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES a. Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursements. b. Pass-through entity identifying numbers are presented where available. De Minimis Rate Used: N Rate Explanation: Washington College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. During the year ended June 30, 2023, the College processed the following amount of new loans under the Federal Direct Lending Program. Since this program is administered by outside financial institutions, new loans made during the fiscal year relating to this program are considered current year expenditures in the schedule. Assistance Listing Number -- Program Name -- Loan Expenditures 84.268 -- Federal Direct Lending -- $5,543,695

Finding Details

Finding 2023-001
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268 Federal Award Identification Number: P063P221568, P268K231568 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance: 1. The Code of Federal Regulations, consisting of 34 CFR 685.309 and 34 CFR 690.83(b)(2), requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Additionally, schools are required to certify enrollment at a minimum of every 60 days or every other month. 2. Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: a. If the school has published, in its catalog, on its website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school has published. b. If the school has not published a program length and the program is an associate or bachelor’s degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. c. For all other programs for which the school has not published a program length, the program length is based on the school’s determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The change in status was not reported timely and the incorrect program length was reported to NSLDS. Questioned costs: None Context: This condition occurred in our statistically valid sample as follows: 1. The status was not reported timely for 33 out of 35 students 2. The Program Length was incorrectly reported for 35 out of 35 students Cause: The Registrar's extended absences and sudden medical leave caused significant disruptions to the College’s operations, resulting in a delay in securing a temporary replacement from the Registry. Unfortunately, the Registrar has since resigned, and the College is currently in the process of searching for a suitable replacement. Effect: 1. The published program length reported to NSLDS is used to determine the student’s maximum and remaining eligibility periods under the 150% limit. By not reporting the correct length, the calculation of the 150% would be incorrect and the grace period begin date would be incorrect. 2. The NSLDS system is not updated timely with the student information which may cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes, 2022-002 Recommendation: We recommend the College review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P221568, P268K231568, P007A221791, P033A211791 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not meeting GLBA requirements. Questioned costs: None Context: The College’s written information security program did not cover the following requirements:  Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (Risk Management section)  Assess apps developed by the institution (SDLC Policy or a policy that includes the testing done to applications provided by vendors)  Implement multi-factor authentication for anyone accessing customer information on the institution’s system (The use of MFA)  Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (performing annual penetration testing and IT Risk Assessment)  There is no Change Management Policy  There is no Vendor Management Policy  The Information Security Policy is in draft from. (Many of the requirements were located in this policy but the policy is in draft form) Cause: The college acknowledges certain deficiencies in compliance in large part due to a gap in having subject matter expertise consistently staffed in these areas. As part of the strategic plan the President has set forth a college wide goal of bringing on FTE staff with the needed subject matter expertise to properly address these compliance deficiencies. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268 Federal Award Identification Number: P063P221568, P268K231568 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance: 1. The Code of Federal Regulations, consisting of 34 CFR 685.309 and 34 CFR 690.83(b)(2), requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Additionally, schools are required to certify enrollment at a minimum of every 60 days or every other month. 2. Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: a. If the school has published, in its catalog, on its website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school has published. b. If the school has not published a program length and the program is an associate or bachelor’s degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. c. For all other programs for which the school has not published a program length, the program length is based on the school’s determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The change in status was not reported timely and the incorrect program length was reported to NSLDS. Questioned costs: None Context: This condition occurred in our statistically valid sample as follows: 1. The status was not reported timely for 33 out of 35 students 2. The Program Length was incorrectly reported for 35 out of 35 students Cause: The Registrar's extended absences and sudden medical leave caused significant disruptions to the College’s operations, resulting in a delay in securing a temporary replacement from the Registry. Unfortunately, the Registrar has since resigned, and the College is currently in the process of searching for a suitable replacement. Effect: 1. The published program length reported to NSLDS is used to determine the student’s maximum and remaining eligibility periods under the 150% limit. By not reporting the correct length, the calculation of the 150% would be incorrect and the grace period begin date would be incorrect. 2. The NSLDS system is not updated timely with the student information which may cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes, 2022-002 Recommendation: We recommend the College review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268 Federal Award Identification Number: P063P221568, P268K231568 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance: 1. The Code of Federal Regulations, consisting of 34 CFR 685.309 and 34 CFR 690.83(b)(2), requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Additionally, schools are required to certify enrollment at a minimum of every 60 days or every other month. 2. Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: a. If the school has published, in its catalog, on its website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school has published. b. If the school has not published a program length and the program is an associate or bachelor’s degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. c. For all other programs for which the school has not published a program length, the program length is based on the school’s determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The change in status was not reported timely and the incorrect program length was reported to NSLDS. Questioned costs: None Context: This condition occurred in our statistically valid sample as follows: 1. The status was not reported timely for 33 out of 35 students 2. The Program Length was incorrectly reported for 35 out of 35 students Cause: The Registrar's extended absences and sudden medical leave caused significant disruptions to the College’s operations, resulting in a delay in securing a temporary replacement from the Registry. Unfortunately, the Registrar has since resigned, and the College is currently in the process of searching for a suitable replacement. Effect: 1. The published program length reported to NSLDS is used to determine the student’s maximum and remaining eligibility periods under the 150% limit. By not reporting the correct length, the calculation of the 150% would be incorrect and the grace period begin date would be incorrect. 2. The NSLDS system is not updated timely with the student information which may cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes, 2022-002 Recommendation: We recommend the College review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268 Federal Award Identification Number: P063P221568, P268K231568 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance: 1. The Code of Federal Regulations, consisting of 34 CFR 685.309 and 34 CFR 690.83(b)(2), requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Additionally, schools are required to certify enrollment at a minimum of every 60 days or every other month. 2. Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: a. If the school has published, in its catalog, on its website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school has published. b. If the school has not published a program length and the program is an associate or bachelor’s degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. c. For all other programs for which the school has not published a program length, the program length is based on the school’s determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The change in status was not reported timely and the incorrect program length was reported to NSLDS. Questioned costs: None Context: This condition occurred in our statistically valid sample as follows: 1. The status was not reported timely for 33 out of 35 students 2. The Program Length was incorrectly reported for 35 out of 35 students Cause: The Registrar's extended absences and sudden medical leave caused significant disruptions to the College’s operations, resulting in a delay in securing a temporary replacement from the Registry. Unfortunately, the Registrar has since resigned, and the College is currently in the process of searching for a suitable replacement. Effect: 1. The published program length reported to NSLDS is used to determine the student’s maximum and remaining eligibility periods under the 150% limit. By not reporting the correct length, the calculation of the 150% would be incorrect and the grace period begin date would be incorrect. 2. The NSLDS system is not updated timely with the student information which may cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes, 2022-002 Recommendation: We recommend the College review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P221568, P268K231568, P007A221791, P033A211791 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not meeting GLBA requirements. Questioned costs: None Context: The College’s written information security program did not cover the following requirements:  Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (Risk Management section)  Assess apps developed by the institution (SDLC Policy or a policy that includes the testing done to applications provided by vendors)  Implement multi-factor authentication for anyone accessing customer information on the institution’s system (The use of MFA)  Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (performing annual penetration testing and IT Risk Assessment)  There is no Change Management Policy  There is no Vendor Management Policy  The Information Security Policy is in draft from. (Many of the requirements were located in this policy but the policy is in draft form) Cause: The college acknowledges certain deficiencies in compliance in large part due to a gap in having subject matter expertise consistently staffed in these areas. As part of the strategic plan the President has set forth a college wide goal of bringing on FTE staff with the needed subject matter expertise to properly address these compliance deficiencies. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268 Federal Award Identification Number: P063P221568, P268K231568 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance: 1. The Code of Federal Regulations, consisting of 34 CFR 685.309 and 34 CFR 690.83(b)(2), requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Additionally, schools are required to certify enrollment at a minimum of every 60 days or every other month. 2. Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: a. If the school has published, in its catalog, on its website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school has published. b. If the school has not published a program length and the program is an associate or bachelor’s degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. c. For all other programs for which the school has not published a program length, the program length is based on the school’s determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The change in status was not reported timely and the incorrect program length was reported to NSLDS. Questioned costs: None Context: This condition occurred in our statistically valid sample as follows: 1. The status was not reported timely for 33 out of 35 students 2. The Program Length was incorrectly reported for 35 out of 35 students Cause: The Registrar's extended absences and sudden medical leave caused significant disruptions to the College’s operations, resulting in a delay in securing a temporary replacement from the Registry. Unfortunately, the Registrar has since resigned, and the College is currently in the process of searching for a suitable replacement. Effect: 1. The published program length reported to NSLDS is used to determine the student’s maximum and remaining eligibility periods under the 150% limit. By not reporting the correct length, the calculation of the 150% would be incorrect and the grace period begin date would be incorrect. 2. The NSLDS system is not updated timely with the student information which may cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes, 2022-002 Recommendation: We recommend the College review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P221568, P268K231568, P007A221791, P033A211791 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not meeting GLBA requirements. Questioned costs: None Context: The College’s written information security program did not cover the following requirements:  Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (Risk Management section)  Assess apps developed by the institution (SDLC Policy or a policy that includes the testing done to applications provided by vendors)  Implement multi-factor authentication for anyone accessing customer information on the institution’s system (The use of MFA)  Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (performing annual penetration testing and IT Risk Assessment)  There is no Change Management Policy  There is no Vendor Management Policy  The Information Security Policy is in draft from. (Many of the requirements were located in this policy but the policy is in draft form) Cause: The college acknowledges certain deficiencies in compliance in large part due to a gap in having subject matter expertise consistently staffed in these areas. As part of the strategic plan the President has set forth a college wide goal of bringing on FTE staff with the needed subject matter expertise to properly address these compliance deficiencies. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268 Federal Award Identification Number: P063P221568, P268K231568 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance: 1. The Code of Federal Regulations, consisting of 34 CFR 685.309 and 34 CFR 690.83(b)(2), requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Additionally, schools are required to certify enrollment at a minimum of every 60 days or every other month. 2. Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: a. If the school has published, in its catalog, on its website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school has published. b. If the school has not published a program length and the program is an associate or bachelor’s degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. c. For all other programs for which the school has not published a program length, the program length is based on the school’s determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The change in status was not reported timely and the incorrect program length was reported to NSLDS. Questioned costs: None Context: This condition occurred in our statistically valid sample as follows: 1. The status was not reported timely for 33 out of 35 students 2. The Program Length was incorrectly reported for 35 out of 35 students Cause: The Registrar's extended absences and sudden medical leave caused significant disruptions to the College’s operations, resulting in a delay in securing a temporary replacement from the Registry. Unfortunately, the Registrar has since resigned, and the College is currently in the process of searching for a suitable replacement. Effect: 1. The published program length reported to NSLDS is used to determine the student’s maximum and remaining eligibility periods under the 150% limit. By not reporting the correct length, the calculation of the 150% would be incorrect and the grace period begin date would be incorrect. 2. The NSLDS system is not updated timely with the student information which may cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes, 2022-002 Recommendation: We recommend the College review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268 Federal Award Identification Number: P063P221568, P268K231568 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance: 1. The Code of Federal Regulations, consisting of 34 CFR 685.309 and 34 CFR 690.83(b)(2), requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Additionally, schools are required to certify enrollment at a minimum of every 60 days or every other month. 2. Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: a. If the school has published, in its catalog, on its website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school has published. b. If the school has not published a program length and the program is an associate or bachelor’s degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. c. For all other programs for which the school has not published a program length, the program length is based on the school’s determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The change in status was not reported timely and the incorrect program length was reported to NSLDS. Questioned costs: None Context: This condition occurred in our statistically valid sample as follows: 1. The status was not reported timely for 33 out of 35 students 2. The Program Length was incorrectly reported for 35 out of 35 students Cause: The Registrar's extended absences and sudden medical leave caused significant disruptions to the College’s operations, resulting in a delay in securing a temporary replacement from the Registry. Unfortunately, the Registrar has since resigned, and the College is currently in the process of searching for a suitable replacement. Effect: 1. The published program length reported to NSLDS is used to determine the student’s maximum and remaining eligibility periods under the 150% limit. By not reporting the correct length, the calculation of the 150% would be incorrect and the grace period begin date would be incorrect. 2. The NSLDS system is not updated timely with the student information which may cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes, 2022-002 Recommendation: We recommend the College review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268 Federal Award Identification Number: P063P221568, P268K231568 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance: 1. The Code of Federal Regulations, consisting of 34 CFR 685.309 and 34 CFR 690.83(b)(2), requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Additionally, schools are required to certify enrollment at a minimum of every 60 days or every other month. 2. Per the NSLDS Enrollment Reporting Guide, Published Program Length should be reported based on the definition of “normal time” to completion in the regulations at 34 CFR 668.41(a), as follows: a. If the school has published, in its catalog, on its website, or in any promotional materials, the length of the program in weeks, months, or years, the program length reported must be the same as the program length that the school has published. b. If the school has not published a program length and the program is an associate or bachelor’s degree program, the program length to be reported should be two years (associate) or four years (bachelor), respectively, unless the academic design of the program makes it longer or shorter than typical. c. For all other programs for which the school has not published a program length, the program length is based on the school’s determination of how long, in weeks, months, or years, the program is designed for a full-time student to complete. Condition: The change in status was not reported timely and the incorrect program length was reported to NSLDS. Questioned costs: None Context: This condition occurred in our statistically valid sample as follows: 1. The status was not reported timely for 33 out of 35 students 2. The Program Length was incorrectly reported for 35 out of 35 students Cause: The Registrar's extended absences and sudden medical leave caused significant disruptions to the College’s operations, resulting in a delay in securing a temporary replacement from the Registry. Unfortunately, the Registrar has since resigned, and the College is currently in the process of searching for a suitable replacement. Effect: 1. The published program length reported to NSLDS is used to determine the student’s maximum and remaining eligibility periods under the 150% limit. By not reporting the correct length, the calculation of the 150% would be incorrect and the grace period begin date would be incorrect. 2. The NSLDS system is not updated timely with the student information which may cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes, 2022-002 Recommendation: We recommend the College review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
Federal agency: U.S. Department of Education Federal program title: Student Financial Aid Cluster CFDA Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P221568, P268K231568, P007A221791, P033A211791 Award Period: July 1, 2022 – June 30, 2023 Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not meeting GLBA requirements. Questioned costs: None Context: The College’s written information security program did not cover the following requirements:  Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (Risk Management section)  Assess apps developed by the institution (SDLC Policy or a policy that includes the testing done to applications provided by vendors)  Implement multi-factor authentication for anyone accessing customer information on the institution’s system (The use of MFA)  Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (performing annual penetration testing and IT Risk Assessment)  There is no Change Management Policy  There is no Vendor Management Policy  The Information Security Policy is in draft from. (Many of the requirements were located in this policy but the policy is in draft form) Cause: The college acknowledges certain deficiencies in compliance in large part due to a gap in having subject matter expertise consistently staffed in these areas. As part of the strategic plan the President has set forth a college wide goal of bringing on FTE staff with the needed subject matter expertise to properly address these compliance deficiencies. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.