FAC Explorer

Audit 297294

FY End
2023-07-31
Total Expended
$17.00M
Findings
24
Programs
11
Organization: Illinois Wesleyan University (IL)
Year: 2023 Accepted: 2024-03-25
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
384203 2023-001 Significant Deficiency - N
384204 2023-001 Significant Deficiency - N
384205 2023-001 Significant Deficiency - N
384206 2023-001 Significant Deficiency - N
384207 2023-001 Significant Deficiency - N
384208 2023-001 Significant Deficiency - N
384209 2023-002 Significant Deficiency - N
384210 2023-002 Significant Deficiency - N
384211 2023-002 Significant Deficiency - N
384212 2023-002 Significant Deficiency - N
384213 2023-002 Significant Deficiency - N
384214 2023-002 Significant Deficiency - N
960645 2023-001 Significant Deficiency - N
960646 2023-001 Significant Deficiency - N
960647 2023-001 Significant Deficiency - N
960648 2023-001 Significant Deficiency - N
960649 2023-001 Significant Deficiency - N
960650 2023-001 Significant Deficiency - N
960651 2023-002 Significant Deficiency - N
960652 2023-002 Significant Deficiency - N
960653 2023-002 Significant Deficiency - N
960654 2023-002 Significant Deficiency - N
960655 2023-002 Significant Deficiency - N
960656 2023-002 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $10.68M Yes 2
84.063 Federal Pell Grant Program $1.88M Yes 2
93.364 Nursing Student Loans $1.86M Yes 2
84.038 Federal Perkins Loan Program $1.35M Yes 2
47.076 Education and Human Resources $510,608 - 0
84.033 Federal Work-Study Program $290,931 Yes 2
84.007 Federal Supplemental Educational Opportunity Grants $238,000 Yes 2
47.049 Mathematical and Physical Sciences $88,401 - 0
59.037 Small Business Development Centers $1,457 - 0
47.075 Social, Behavioral, and Economic Sciences $0 - 0
84.425 Education Stabilization Fund $0 - 0

Contacts

Name Title Type
CWWDCJCNE3L1 David Myron Auditee
3095561000 Kyla Greenhoe Auditor
No contacts on file

Notes to SEFA

Title: INDIRECT COSTS Accounting Policies: BASIS OF PRESENTATION The accompanying schedule of expenditures of federal awards (the Schedule) summarizes the federal expenditures incurred by Illinois Wesleyan University (the University) under awards received from the federal government for the year ended July 31, 2023. For purposes of the Schedule, federal awards include all grants, contracts, loans, and loan guarantee agreements entered into directly between the University and agencies and departments of the federal government. Expenditures for federal award programs are recognized on the accrual basis of accounting. De Minimis Rate Used: N Rate Explanation: The University does not use the de minimis indirect cost rate of 10%. The University has four-year predetermined fixed indirect cost rates, effective August 1, 2017 through July 31, 2021, which have been negotiated with the Department of Health and Human Services. The University has applied for a new rate for the period August 1, 2023 through July 31, 2026, and requested a provisional rate be used for the year ended July 31, 2023. The predetermined fixed rates were based on the University’s financial information for fiscal year 2012. The base rates for on and off campus were 45% and 15%, respectively, of modified total direct costs. Approximately $67,000 of indirect costs was reimbursed to the University during the year ended July 31, 2023. The University does not use the de minimis indirect cost rate of 10%.
Title: FEDERAL STUDENT LOAN PROGRAMS Accounting Policies: BASIS OF PRESENTATION The accompanying schedule of expenditures of federal awards (the Schedule) summarizes the federal expenditures incurred by Illinois Wesleyan University (the University) under awards received from the federal government for the year ended July 31, 2023. For purposes of the Schedule, federal awards include all grants, contracts, loans, and loan guarantee agreements entered into directly between the University and agencies and departments of the federal government. Expenditures for federal award programs are recognized on the accrual basis of accounting. De Minimis Rate Used: N Rate Explanation: The University does not use the de minimis indirect cost rate of 10%. Loans disbursed by the University to eligible students under federal student loan programs and federally guaranteed loans issued to students of the University during the year ended July 31, 2023 are summarized as follows: Federal Perkins Loans $- Nursing Student Loans 291,673 Federal Direct Student Loans Program: Federal Subsidized Direct Loans 3,256,499 Federal Unsubsidized Direct Loans 2,990,653 Federal Parent Loans for Undergraduate Students 4,430,550 Total $10,969,375 The Federal Perkins Loan Program (Perkins) is administered directly by the University, and balances and transactions relating to this program are included in the University’s financial statements. The balance of loans outstanding under the Perkins program was $938,064 and $1,351,769 at July 31, 2023 and 2022, respectively. The Nursing Student Loan Program (NSL) is administered directly by the University, and balances and transactions relating to this program are included in the University’s financial statements. The balance of loans outstanding under the NSL program was $1,650,654 and $1,569,621 at July 31, 2023 and 2022, respectively. The balance of loans outstanding for these programs consists of the following amounts: Perkins NSL Outstanding Balance - August 1, 2022 $1,351,769 $1,569,621 Loans Disbursed - 291,673 Repayments (205,303) (210,640) Cancellations (208,402) - Outstanding Balance - July 31, 2023 $938,064 $1,650,654 The University is responsible only for the performance of certain administrative duties on behalf of the U.S. Department of Education with respect to the Direct Loan Program, and accordingly, the outstanding balances of these loans are not included in its financial statements and it is not practical to determine the balance of loans outstanding to students and former students of the University under these programs at July 31, 2023.

Finding Details

Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023 – 001: Special Tests and Provision: Enrollment Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to the National Student Loan Data System (NSLDS) within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: While performing audit procedures, it was noted that 1 student of our sample of twenty four (24) was reported to NSLDS outside of the 60 day requirement. The student graduated June 2, 2023 but was not reported until September 7, 2023. Questioned costs: None Context: A control system to prevent and detect errors in the reporting process was not created to ensure all required reporting compliance was filed timely. During the period of late reporting, the University was in the process of an information technology upgrade causing delays in access for reporting. Cause: The University’s processes and controls did not ensure that student status changes were properly and timely reported to NSLDS. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-002
2023 – 002: Special Tests and Provisions: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans) Federal Award Identification Number and Year: N/A; 2022-2023 Award Period: August 1, 2022 – July 31, 2023 Pass-Through Agency: N/A Pass-Through Numbers: N/A Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements: • Identify the approval of the appropriate individual leading the information security program • The use of encryption controls in transit on the University's systems • The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information • The use of multi-factor authentication for individuals accessing sensitive information across systems • The processes to perform an annual penetration test and semi-annual vulnerability assessments Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards. Views of responsible officials: There is no disagreement with the audit finding.