Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: The following required elements of the Written Information Security Program were not included:
b.3.2 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
b.3.3 Encrypt customer information on the institution’s system and when it’s in transit.
b.3.4 Assess apps developed by the institution
b.3.6 Dispose of customer information securely
b.7 Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were elements missing from their WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: The following required elements of the Written Information Security Program were not included:
b.3.2 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
b.3.3 Encrypt customer information on the institution’s system and when it’s in transit.
b.3.4 Assess apps developed by the institution
b.3.6 Dispose of customer information securely
b.7 Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were elements missing from their WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: The following required elements of the Written Information Security Program were not included:
b.3.2 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
b.3.3 Encrypt customer information on the institution’s system and when it’s in transit.
b.3.4 Assess apps developed by the institution
b.3.6 Dispose of customer information securely
b.7 Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were elements missing from their WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: The following required elements of the Written Information Security Program were not included:
b.3.2 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
b.3.3 Encrypt customer information on the institution’s system and when it’s in transit.
b.3.4 Assess apps developed by the institution
b.3.6 Dispose of customer information securely
b.7 Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were elements missing from their WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: The following required elements of the Written Information Security Program were not included:
b.3.2 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
b.3.3 Encrypt customer information on the institution’s system and when it’s in transit.
b.3.4 Assess apps developed by the institution
b.3.6 Dispose of customer information securely
b.7 Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were elements missing from their WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.
Criteria or Specific Requirement:
The Code of Federal Regulations, 34 CFR 668.22 defines the last date of attendance for schools that are required to take attendance and those that are not required and requires an institution to return the amount of title IV funds for which it is responsible as soon as possible but no later than 45 days after the date of the institution's determination that the student withdrew.
Condition:
For seven of forty R2T4s tested, the University failed to return payments within 45 days of school determination the student withdrawal date. For one of forty R2T4s tested, the improper last date of attendance was used.
Questioned Costs:
Not determined.
Context:
The University failed to return payments within 45 days of school determination.
Cause:
The University's internal controls did not identify the errors for compliance with the criteria mentioned above.
Effect:
The student’s return of funds calculation was not done correctly and the return of funds back to the federal government was for the incorrect amount. The University failed to return payments within 45 days of school determination the student withdrawal date.
Repeat Finding:
No
Recommendation:
We recommend that additional training is provided to staff completing R2T4s to ensure a thorough understanding of governing regulations for each individual program. We also recommend an additional level of review is added to ensure completed R2T4s are properly completed.
Criteria or Specific Requirement:
The Code of Federal Regulations, 34 CFR 668.22 defines the last date of attendance for schools that are required to take attendance and those that are not required and requires an institution to return the amount of title IV funds for which it is responsible as soon as possible but no later than 45 days after the date of the institution's determination that the student withdrew.
Condition:
For seven of forty R2T4s tested, the University failed to return payments within 45 days of school determination the student withdrawal date. For one of forty R2T4s tested, the improper last date of attendance was used.
Questioned Costs:
Not determined.
Context:
The University failed to return payments within 45 days of school determination.
Cause:
The University's internal controls did not identify the errors for compliance with the criteria mentioned above.
Effect:
The student’s return of funds calculation was not done correctly and the return of funds back to the federal government was for the incorrect amount. The University failed to return payments within 45 days of school determination the student withdrawal date.
Repeat Finding:
No
Recommendation:
We recommend that additional training is provided to staff completing R2T4s to ensure a thorough understanding of governing regulations for each individual program. We also recommend an additional level of review is added to ensure completed R2T4s are properly completed.
Criteria or Specific Requirement:
The Code of Federal Regulations, 34 CFR 668.22 defines the last date of attendance for schools that are required to take attendance and those that are not required and requires an institution to return the amount of title IV funds for which it is responsible as soon as possible but no later than 45 days after the date of the institution's determination that the student withdrew.
Condition:
For seven of forty R2T4s tested, the University failed to return payments within 45 days of school determination the student withdrawal date. For one of forty R2T4s tested, the improper last date of attendance was used.
Questioned Costs:
Not determined.
Context:
The University failed to return payments within 45 days of school determination.
Cause:
The University's internal controls did not identify the errors for compliance with the criteria mentioned above.
Effect:
The student’s return of funds calculation was not done correctly and the return of funds back to the federal government was for the incorrect amount. The University failed to return payments within 45 days of school determination the student withdrawal date.
Repeat Finding:
No
Recommendation:
We recommend that additional training is provided to staff completing R2T4s to ensure a thorough understanding of governing regulations for each individual program. We also recommend an additional level of review is added to ensure completed R2T4s are properly completed.
Criteria or Specific Requirement:
The Code of Federal Regulations, 34 CFR 668.22 defines the last date of attendance for schools that are required to take attendance and those that are not required and requires an institution to return the amount of title IV funds for which it is responsible as soon as possible but no later than 45 days after the date of the institution's determination that the student withdrew.
Condition:
For seven of forty R2T4s tested, the University failed to return payments within 45 days of school determination the student withdrawal date. For one of forty R2T4s tested, the improper last date of attendance was used.
Questioned Costs:
Not determined.
Context:
The University failed to return payments within 45 days of school determination.
Cause:
The University's internal controls did not identify the errors for compliance with the criteria mentioned above.
Effect:
The student’s return of funds calculation was not done correctly and the return of funds back to the federal government was for the incorrect amount. The University failed to return payments within 45 days of school determination the student withdrawal date.
Repeat Finding:
No
Recommendation:
We recommend that additional training is provided to staff completing R2T4s to ensure a thorough understanding of governing regulations for each individual program. We also recommend an additional level of review is added to ensure completed R2T4s are properly completed.
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: The following required elements of the Written Information Security Program were not included:
b.3.2 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
b.3.3 Encrypt customer information on the institution’s system and when it’s in transit.
b.3.4 Assess apps developed by the institution
b.3.6 Dispose of customer information securely
b.7 Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were elements missing from their WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: The following required elements of the Written Information Security Program were not included:
b.3.2 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
b.3.3 Encrypt customer information on the institution’s system and when it’s in transit.
b.3.4 Assess apps developed by the institution
b.3.6 Dispose of customer information securely
b.7 Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were elements missing from their WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: The following required elements of the Written Information Security Program were not included:
b.3.2 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
b.3.3 Encrypt customer information on the institution’s system and when it’s in transit.
b.3.4 Assess apps developed by the institution
b.3.6 Dispose of customer information securely
b.7 Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were elements missing from their WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: The following required elements of the Written Information Security Program were not included:
b.3.2 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
b.3.3 Encrypt customer information on the institution’s system and when it’s in transit.
b.3.4 Assess apps developed by the institution
b.3.6 Dispose of customer information securely
b.7 Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were elements missing from their WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: The following required elements of the Written Information Security Program were not included:
b.3.2 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
b.3.3 Encrypt customer information on the institution’s system and when it’s in transit.
b.3.4 Assess apps developed by the institution
b.3.6 Dispose of customer information securely
b.7 Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were elements missing from their WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.
Criteria or Specific Requirement:
The Code of Federal Regulations, 34 CFR 668.22 defines the last date of attendance for schools that are required to take attendance and those that are not required and requires an institution to return the amount of title IV funds for which it is responsible as soon as possible but no later than 45 days after the date of the institution's determination that the student withdrew.
Condition:
For seven of forty R2T4s tested, the University failed to return payments within 45 days of school determination the student withdrawal date. For one of forty R2T4s tested, the improper last date of attendance was used.
Questioned Costs:
Not determined.
Context:
The University failed to return payments within 45 days of school determination.
Cause:
The University's internal controls did not identify the errors for compliance with the criteria mentioned above.
Effect:
The student’s return of funds calculation was not done correctly and the return of funds back to the federal government was for the incorrect amount. The University failed to return payments within 45 days of school determination the student withdrawal date.
Repeat Finding:
No
Recommendation:
We recommend that additional training is provided to staff completing R2T4s to ensure a thorough understanding of governing regulations for each individual program. We also recommend an additional level of review is added to ensure completed R2T4s are properly completed.
Criteria or Specific Requirement:
The Code of Federal Regulations, 34 CFR 668.22 defines the last date of attendance for schools that are required to take attendance and those that are not required and requires an institution to return the amount of title IV funds for which it is responsible as soon as possible but no later than 45 days after the date of the institution's determination that the student withdrew.
Condition:
For seven of forty R2T4s tested, the University failed to return payments within 45 days of school determination the student withdrawal date. For one of forty R2T4s tested, the improper last date of attendance was used.
Questioned Costs:
Not determined.
Context:
The University failed to return payments within 45 days of school determination.
Cause:
The University's internal controls did not identify the errors for compliance with the criteria mentioned above.
Effect:
The student’s return of funds calculation was not done correctly and the return of funds back to the federal government was for the incorrect amount. The University failed to return payments within 45 days of school determination the student withdrawal date.
Repeat Finding:
No
Recommendation:
We recommend that additional training is provided to staff completing R2T4s to ensure a thorough understanding of governing regulations for each individual program. We also recommend an additional level of review is added to ensure completed R2T4s are properly completed.
Criteria or Specific Requirement:
The Code of Federal Regulations, 34 CFR 668.22 defines the last date of attendance for schools that are required to take attendance and those that are not required and requires an institution to return the amount of title IV funds for which it is responsible as soon as possible but no later than 45 days after the date of the institution's determination that the student withdrew.
Condition:
For seven of forty R2T4s tested, the University failed to return payments within 45 days of school determination the student withdrawal date. For one of forty R2T4s tested, the improper last date of attendance was used.
Questioned Costs:
Not determined.
Context:
The University failed to return payments within 45 days of school determination.
Cause:
The University's internal controls did not identify the errors for compliance with the criteria mentioned above.
Effect:
The student’s return of funds calculation was not done correctly and the return of funds back to the federal government was for the incorrect amount. The University failed to return payments within 45 days of school determination the student withdrawal date.
Repeat Finding:
No
Recommendation:
We recommend that additional training is provided to staff completing R2T4s to ensure a thorough understanding of governing regulations for each individual program. We also recommend an additional level of review is added to ensure completed R2T4s are properly completed.
Criteria or Specific Requirement:
The Code of Federal Regulations, 34 CFR 668.22 defines the last date of attendance for schools that are required to take attendance and those that are not required and requires an institution to return the amount of title IV funds for which it is responsible as soon as possible but no later than 45 days after the date of the institution's determination that the student withdrew.
Condition:
For seven of forty R2T4s tested, the University failed to return payments within 45 days of school determination the student withdrawal date. For one of forty R2T4s tested, the improper last date of attendance was used.
Questioned Costs:
Not determined.
Context:
The University failed to return payments within 45 days of school determination.
Cause:
The University's internal controls did not identify the errors for compliance with the criteria mentioned above.
Effect:
The student’s return of funds calculation was not done correctly and the return of funds back to the federal government was for the incorrect amount. The University failed to return payments within 45 days of school determination the student withdrawal date.
Repeat Finding:
No
Recommendation:
We recommend that additional training is provided to staff completing R2T4s to ensure a thorough understanding of governing regulations for each individual program. We also recommend an additional level of review is added to ensure completed R2T4s are properly completed.