FAC Explorer

Audit 297439

FY End
2023-06-30
Total Expended
$7.08M
Findings
10
Programs
10
Organization: Erikson Institute (IL)
Year: 2023 Accepted: 2024-03-25
Auditor: Rsm US LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
384318 2023-001 Significant Deficiency - N
384319 2023-001 Significant Deficiency - N
384320 2023-001 Significant Deficiency - N
384321 2023-002 Significant Deficiency Yes N
384322 2023-003 Significant Deficiency - C
960760 2023-001 Significant Deficiency - N
960761 2023-001 Significant Deficiency - N
960762 2023-001 Significant Deficiency - N
960763 2023-002 Significant Deficiency Yes N
960764 2023-003 Significant Deficiency - C

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $4.55M Yes 3
93.600 Head Start $612,255 - 0
84.305 Education Research, Development and Dissemination $300,245 Yes 0
84.325 Special Education - Personnel Development to Improve Services and Results for Children with Disabilities $220,511 - 0
84.425 Education Stabilization Fund $211,666 Yes 0
93.575 Child Care and Development Block Grant $191,160 - 0
93.434 Every Student Succeeds Act/preschool Development Grants $121,893 - 0
84.033 Federal Work-Study Program $75,000 Yes 1
45.313 Laura Bush 21st Century Librarian Program $61,836 - 0
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $2,515 Yes 1

Contacts

Name Title Type
LMGWHNUKM2C5 Christine Frankhauser Auditee
3128937121 Craig Wories Auditor
No contacts on file

Notes to SEFA

Title: Note 1. Basis of Presentation Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass-through entity identifying numbers are presented where available. De Minimis Rate Used: N Rate Explanation: The Institute has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The Institute has federally-approved negotiated indirect cost rates of 40.60% for on-campus and 20% for off campus costs. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Erikson Institute (the Institute) under programs of the federal government for the year ended June 30, 2023. The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the Institute, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the Institute. There were no federal awards expended for non-cash assistance or insurance for the year.
Title: Note 2. Summary of Significant Accounting Policies Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass-through entity identifying numbers are presented where available. De Minimis Rate Used: N Rate Explanation: The Institute has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The Institute has federally-approved negotiated indirect cost rates of 40.60% for on-campus and 20% for off campus costs. Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass-through entity identifying numbers are presented where available.
Title: Note 3. Indirect Cost Rate Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass-through entity identifying numbers are presented where available. De Minimis Rate Used: N Rate Explanation: The Institute has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The Institute has federally-approved negotiated indirect cost rates of 40.60% for on-campus and 20% for off campus costs. The Institute has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The Institute has federally-approved negotiated indirect cost rates of 40.60% for on-campus and 20% for off campus costs.
Title: Note 4. Federal Direct Student Loan Program Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Pass-through entity identifying numbers are presented where available. De Minimis Rate Used: N Rate Explanation: The Institute has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The Institute has federally-approved negotiated indirect cost rates of 40.60% for on-campus and 20% for off campus costs. During the fiscal year ended June 30, 2023, the Institute issued new loans to students under the Federal Direct Student Loan Program (FDLP). The value of loans issued for the FDLP is based on disbursed amounts. The loan amounts issued during the year are disclosed on the Schedule. The Institute is responsible only for the performance of certain administrative duties with respect to the federally guaranteed student loan programs and, accordingly, balances and transactions relating to these loan programs are not included in the Institute’s basic financial statements. Therefore, it is not practicable to determine the balance of loans outstanding made to students and former students of the Institute at June 30, 2023.

Finding Details

Finding 2023-001
Finding 2023-001—Gramm-Leach Bliley Act—Student Information Security Repeat Finding: No Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal TEACH Grants: 84.379 Federal Work-Study Program: 84.033 Federal Award Year 2022-2023 Condition While the Institute does have various policies addressing information security, the Institute did not have written policies to address the required safeguards for the eight required elements under the Gramm-Leach Bliley Act (GLBA) by June 9, 2023, the required date of compliance. Of the eight required elements under the GLBA, the Institute did have six written and formally documented safeguards, one is not applicable (assess apps developed by institution) and one had safeguards designed (dispose of customer information securely) but not a written policy in place. Criteria In accordance with 16 CFR 314.4(c), an institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). This includes the following: (1) implement and periodically review access controls, (2) conduct a periodic inventory of data, noting where it’s collected, stored or transmitted, (3) encrypt customer information on the institution’s system and when it’s in transit, (4) assess apps developed by the institution, (5) implement multi-factor authentication for anyone accessing customer information on the institution’s system, (6) dispose of customer information securely, (7) anticipate and evaluate changes to the information system or network, and (8) maintain a log of authorized users’ activity and keep an eye out for unauthorized users. 2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure that reviews are being completed over information security policies and that they are in compliance with GLBA requirements. Questioned Costs There were no questioned costs. Cause While security policies and practices addressed the safeguards identified in 16 CFR 314.4(c)(1) through (8), all were not formally documented due to an oversight. Of the eight required elements under the GLBA the Institute did have six written and formally documented safeguards, one is not applicable and one had safeguards designed (dispose of customer information securely) but did not have a written policy in place. A comprehensive formal Information Security Policy that addresses all required safeguards under the GLBA has been drafted and is in its final institutional review. Context The required elements were not combined into a single policy. Effect Failure to meet the minimum requirements of the GLBA act is noncompliance and increases the risk of unauthorized disclosure, misuse, alteration, destruction, or other comprise of student information. Recommendation We recommend the Institute implement controls to ensure that GLBA requirements are reviewed and addressed in a formally documented policy. Views of Responsible Officials We agree with this finding. See corrective action plan.
Finding 2023-001
Finding 2023-001—Gramm-Leach Bliley Act—Student Information Security Repeat Finding: No Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal TEACH Grants: 84.379 Federal Work-Study Program: 84.033 Federal Award Year 2022-2023 Condition While the Institute does have various policies addressing information security, the Institute did not have written policies to address the required safeguards for the eight required elements under the Gramm-Leach Bliley Act (GLBA) by June 9, 2023, the required date of compliance. Of the eight required elements under the GLBA, the Institute did have six written and formally documented safeguards, one is not applicable (assess apps developed by institution) and one had safeguards designed (dispose of customer information securely) but not a written policy in place. Criteria In accordance with 16 CFR 314.4(c), an institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). This includes the following: (1) implement and periodically review access controls, (2) conduct a periodic inventory of data, noting where it’s collected, stored or transmitted, (3) encrypt customer information on the institution’s system and when it’s in transit, (4) assess apps developed by the institution, (5) implement multi-factor authentication for anyone accessing customer information on the institution’s system, (6) dispose of customer information securely, (7) anticipate and evaluate changes to the information system or network, and (8) maintain a log of authorized users’ activity and keep an eye out for unauthorized users. 2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure that reviews are being completed over information security policies and that they are in compliance with GLBA requirements. Questioned Costs There were no questioned costs. Cause While security policies and practices addressed the safeguards identified in 16 CFR 314.4(c)(1) through (8), all were not formally documented due to an oversight. Of the eight required elements under the GLBA the Institute did have six written and formally documented safeguards, one is not applicable and one had safeguards designed (dispose of customer information securely) but did not have a written policy in place. A comprehensive formal Information Security Policy that addresses all required safeguards under the GLBA has been drafted and is in its final institutional review. Context The required elements were not combined into a single policy. Effect Failure to meet the minimum requirements of the GLBA act is noncompliance and increases the risk of unauthorized disclosure, misuse, alteration, destruction, or other comprise of student information. Recommendation We recommend the Institute implement controls to ensure that GLBA requirements are reviewed and addressed in a formally documented policy. Views of Responsible Officials We agree with this finding. See corrective action plan.
Finding 2023-001
Finding 2023-001—Gramm-Leach Bliley Act—Student Information Security Repeat Finding: No Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal TEACH Grants: 84.379 Federal Work-Study Program: 84.033 Federal Award Year 2022-2023 Condition While the Institute does have various policies addressing information security, the Institute did not have written policies to address the required safeguards for the eight required elements under the Gramm-Leach Bliley Act (GLBA) by June 9, 2023, the required date of compliance. Of the eight required elements under the GLBA, the Institute did have six written and formally documented safeguards, one is not applicable (assess apps developed by institution) and one had safeguards designed (dispose of customer information securely) but not a written policy in place. Criteria In accordance with 16 CFR 314.4(c), an institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). This includes the following: (1) implement and periodically review access controls, (2) conduct a periodic inventory of data, noting where it’s collected, stored or transmitted, (3) encrypt customer information on the institution’s system and when it’s in transit, (4) assess apps developed by the institution, (5) implement multi-factor authentication for anyone accessing customer information on the institution’s system, (6) dispose of customer information securely, (7) anticipate and evaluate changes to the information system or network, and (8) maintain a log of authorized users’ activity and keep an eye out for unauthorized users. 2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure that reviews are being completed over information security policies and that they are in compliance with GLBA requirements. Questioned Costs There were no questioned costs. Cause While security policies and practices addressed the safeguards identified in 16 CFR 314.4(c)(1) through (8), all were not formally documented due to an oversight. Of the eight required elements under the GLBA the Institute did have six written and formally documented safeguards, one is not applicable and one had safeguards designed (dispose of customer information securely) but did not have a written policy in place. A comprehensive formal Information Security Policy that addresses all required safeguards under the GLBA has been drafted and is in its final institutional review. Context The required elements were not combined into a single policy. Effect Failure to meet the minimum requirements of the GLBA act is noncompliance and increases the risk of unauthorized disclosure, misuse, alteration, destruction, or other comprise of student information. Recommendation We recommend the Institute implement controls to ensure that GLBA requirements are reviewed and addressed in a formally documented policy. Views of Responsible Officials We agree with this finding. See corrective action plan.
Finding 2023-002
Finding 2023-002—Enrollment Reporting Repeat Finding: Yes Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal Award Year 2022-2023 Condition For two out of four students tested (50%) who withdrew from the Institute, the students’ enrollment status reported to the National Student Loan Data System (NSLDS) did not match the institution’s records. Criteria CFR section 685.309 and 690.83(b)(2) requires the Institute to notify the NSLDS within 30 days of a change in student status or include the change in status in a response to an enrollment reporting roster within 60 days of the student’s date of determination of withdrawal. 2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure accurate reporting of enrollment status changes. Questioned Costs There were no questioned costs related to testing of enrollment reporting. Cause Between 2022 and 2023, the Registration & Records office at Erikson experienced significant staff turnover, which revealed underlying vulnerabilities. Initially, there was a reorganization of the entire enrollment management function. During this time, a key office member was out for extended periods of time under FMLA prior to resigning in spring 2023. This staffing shortage led to delays in registration functions related to reporting to the NSLDS that sit within this office, including reporting. Context Two out of four students selected for testing. Effect Failure to report status changes timely is noncompliance with Federal regulation and could result in loss of future funding. Recommendation We recommend the Institute improve internal controls in order to report any status changes to the NSLDS timely and accurately. Views of Responsible Officials We agree with this finding. See corrective action plan. Finding 2023-002—Enrollment Reporting Repeat Finding: Yes Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal Award Year 2022-2023 Condition For two out of four students tested (50%) who withdrew from the Institute, the students’ enrollment status reported to the National Student Loan Data System (NSLDS) did not match the institution’s records. Criteria CFR section 685.309 and 690.83(b)(2) requires the Institute to notify the NSLDS within 30 days of a change in student status or include the change in status in a response to an enrollment reporting roster within 60 days of the student’s date of determination of withdrawal. 2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure accurate reporting of enrollment status changes. Questioned Costs There were no questioned costs related to testing of enrollment reporting. Cause Between 2022 and 2023, the Registration & Records office at Erikson experienced significant staff turnover, which revealed underlying vulnerabilities. Initially, there was a reorganization of the entire enrollment management function. During this time, a key office member was out for extended periods of time under FMLA prior to resigning in spring 2023. This staffing shortage led to delays in registration functions related to reporting to the NSLDS that sit within this office, including reporting. Context Two out of four students selected for testing. Effect Failure to report status changes timely is noncompliance with Federal regulation and could result in loss of future funding. Recommendation We recommend the Institute improve internal controls in order to report any status changes to the NSLDS timely and accurately. Views of Responsible Officials We agree with this finding. See corrective action plan.
Finding 2023-003
Finding 2023-003—Cash Management—Excess Cash Repeat Finding: No Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal Award Year 2022-2023 Condition During our cash management testing, we identified the following instances of excess cash: • The Institute had three instances of return of funds that resulted in excess cash for Federal Direct Student Loans ranging from $94 to $46,049 during the period of September 19, 2022 through November 29, 2022. In these situations, the excess cash amounts, being less than one percent of total prior year drawdowns, were not returned within a seven day tolerance period, as outlined below.   Criteria Uniform Grant Guidance (34 CFR 668.166) states the Secretary considers excess cash to be any amount of title IV, HEA program funds, other than Federal Perkins Loan program funds, that an institution does not disburse to students by the end of the third business day following the date the institution (1) received those funds from the Secretary; or (2) deposited or transferred to its depository account previously disbursed title IV, HEA program funds, such as those resulting from awards adjustments, recoveries, or cancellations. An institution may maintain for up to seven days an amount of excess cash that does not exceed one percent of the total amount of funds the institution drew down in the prior award year. The institution must return immediately to the Secretary any amount of excess cash over the one-percent tolerance and any amount of excess cash remaining in its account after the seven-day tolerance period. Uniform Grant Guidance (2 CFR 200.303) requires nonfederal entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure excess cash is properly handled. Questioned Costs There were no questioned costs related to testing of excess cash. Cause During this period of time, Erikson was without a Student Bursar due to a resignation in September 2022. The Student Bursar is responsible for requesting and monitoring the return of federal funds. With the staff transition there was a gap in monitoring cash management procedures. In December 2022 all excess cash was returned. A new Student Bursar was hired in November 2022 and onboarding included comprehensive federal funds cash management training with an outside consultant. Context Ranging from $94 - $46,049 during the period from Sept 19 – Nov 29. Effect Excess cash is noncompliance with Federal regulation and could result in the loss of future funding. Recommendation We recommend the Institute review current processes for monitoring cash management and implement procedures that eliminate excess cash. Views of Responsible Officials We agree with this finding. See corrective action plan.
Finding 2023-001
Finding 2023-001—Gramm-Leach Bliley Act—Student Information Security Repeat Finding: No Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal TEACH Grants: 84.379 Federal Work-Study Program: 84.033 Federal Award Year 2022-2023 Condition While the Institute does have various policies addressing information security, the Institute did not have written policies to address the required safeguards for the eight required elements under the Gramm-Leach Bliley Act (GLBA) by June 9, 2023, the required date of compliance. Of the eight required elements under the GLBA, the Institute did have six written and formally documented safeguards, one is not applicable (assess apps developed by institution) and one had safeguards designed (dispose of customer information securely) but not a written policy in place. Criteria In accordance with 16 CFR 314.4(c), an institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). This includes the following: (1) implement and periodically review access controls, (2) conduct a periodic inventory of data, noting where it’s collected, stored or transmitted, (3) encrypt customer information on the institution’s system and when it’s in transit, (4) assess apps developed by the institution, (5) implement multi-factor authentication for anyone accessing customer information on the institution’s system, (6) dispose of customer information securely, (7) anticipate and evaluate changes to the information system or network, and (8) maintain a log of authorized users’ activity and keep an eye out for unauthorized users. 2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure that reviews are being completed over information security policies and that they are in compliance with GLBA requirements. Questioned Costs There were no questioned costs. Cause While security policies and practices addressed the safeguards identified in 16 CFR 314.4(c)(1) through (8), all were not formally documented due to an oversight. Of the eight required elements under the GLBA the Institute did have six written and formally documented safeguards, one is not applicable and one had safeguards designed (dispose of customer information securely) but did not have a written policy in place. A comprehensive formal Information Security Policy that addresses all required safeguards under the GLBA has been drafted and is in its final institutional review. Context The required elements were not combined into a single policy. Effect Failure to meet the minimum requirements of the GLBA act is noncompliance and increases the risk of unauthorized disclosure, misuse, alteration, destruction, or other comprise of student information. Recommendation We recommend the Institute implement controls to ensure that GLBA requirements are reviewed and addressed in a formally documented policy. Views of Responsible Officials We agree with this finding. See corrective action plan.
Finding 2023-001
Finding 2023-001—Gramm-Leach Bliley Act—Student Information Security Repeat Finding: No Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal TEACH Grants: 84.379 Federal Work-Study Program: 84.033 Federal Award Year 2022-2023 Condition While the Institute does have various policies addressing information security, the Institute did not have written policies to address the required safeguards for the eight required elements under the Gramm-Leach Bliley Act (GLBA) by June 9, 2023, the required date of compliance. Of the eight required elements under the GLBA, the Institute did have six written and formally documented safeguards, one is not applicable (assess apps developed by institution) and one had safeguards designed (dispose of customer information securely) but not a written policy in place. Criteria In accordance with 16 CFR 314.4(c), an institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). This includes the following: (1) implement and periodically review access controls, (2) conduct a periodic inventory of data, noting where it’s collected, stored or transmitted, (3) encrypt customer information on the institution’s system and when it’s in transit, (4) assess apps developed by the institution, (5) implement multi-factor authentication for anyone accessing customer information on the institution’s system, (6) dispose of customer information securely, (7) anticipate and evaluate changes to the information system or network, and (8) maintain a log of authorized users’ activity and keep an eye out for unauthorized users. 2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure that reviews are being completed over information security policies and that they are in compliance with GLBA requirements. Questioned Costs There were no questioned costs. Cause While security policies and practices addressed the safeguards identified in 16 CFR 314.4(c)(1) through (8), all were not formally documented due to an oversight. Of the eight required elements under the GLBA the Institute did have six written and formally documented safeguards, one is not applicable and one had safeguards designed (dispose of customer information securely) but did not have a written policy in place. A comprehensive formal Information Security Policy that addresses all required safeguards under the GLBA has been drafted and is in its final institutional review. Context The required elements were not combined into a single policy. Effect Failure to meet the minimum requirements of the GLBA act is noncompliance and increases the risk of unauthorized disclosure, misuse, alteration, destruction, or other comprise of student information. Recommendation We recommend the Institute implement controls to ensure that GLBA requirements are reviewed and addressed in a formally documented policy. Views of Responsible Officials We agree with this finding. See corrective action plan.
Finding 2023-001
Finding 2023-001—Gramm-Leach Bliley Act—Student Information Security Repeat Finding: No Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal TEACH Grants: 84.379 Federal Work-Study Program: 84.033 Federal Award Year 2022-2023 Condition While the Institute does have various policies addressing information security, the Institute did not have written policies to address the required safeguards for the eight required elements under the Gramm-Leach Bliley Act (GLBA) by June 9, 2023, the required date of compliance. Of the eight required elements under the GLBA, the Institute did have six written and formally documented safeguards, one is not applicable (assess apps developed by institution) and one had safeguards designed (dispose of customer information securely) but not a written policy in place. Criteria In accordance with 16 CFR 314.4(c), an institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). This includes the following: (1) implement and periodically review access controls, (2) conduct a periodic inventory of data, noting where it’s collected, stored or transmitted, (3) encrypt customer information on the institution’s system and when it’s in transit, (4) assess apps developed by the institution, (5) implement multi-factor authentication for anyone accessing customer information on the institution’s system, (6) dispose of customer information securely, (7) anticipate and evaluate changes to the information system or network, and (8) maintain a log of authorized users’ activity and keep an eye out for unauthorized users. 2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure that reviews are being completed over information security policies and that they are in compliance with GLBA requirements. Questioned Costs There were no questioned costs. Cause While security policies and practices addressed the safeguards identified in 16 CFR 314.4(c)(1) through (8), all were not formally documented due to an oversight. Of the eight required elements under the GLBA the Institute did have six written and formally documented safeguards, one is not applicable and one had safeguards designed (dispose of customer information securely) but did not have a written policy in place. A comprehensive formal Information Security Policy that addresses all required safeguards under the GLBA has been drafted and is in its final institutional review. Context The required elements were not combined into a single policy. Effect Failure to meet the minimum requirements of the GLBA act is noncompliance and increases the risk of unauthorized disclosure, misuse, alteration, destruction, or other comprise of student information. Recommendation We recommend the Institute implement controls to ensure that GLBA requirements are reviewed and addressed in a formally documented policy. Views of Responsible Officials We agree with this finding. See corrective action plan.
Finding 2023-002
Finding 2023-002—Enrollment Reporting Repeat Finding: Yes Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal Award Year 2022-2023 Condition For two out of four students tested (50%) who withdrew from the Institute, the students’ enrollment status reported to the National Student Loan Data System (NSLDS) did not match the institution’s records. Criteria CFR section 685.309 and 690.83(b)(2) requires the Institute to notify the NSLDS within 30 days of a change in student status or include the change in status in a response to an enrollment reporting roster within 60 days of the student’s date of determination of withdrawal. 2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure accurate reporting of enrollment status changes. Questioned Costs There were no questioned costs related to testing of enrollment reporting. Cause Between 2022 and 2023, the Registration & Records office at Erikson experienced significant staff turnover, which revealed underlying vulnerabilities. Initially, there was a reorganization of the entire enrollment management function. During this time, a key office member was out for extended periods of time under FMLA prior to resigning in spring 2023. This staffing shortage led to delays in registration functions related to reporting to the NSLDS that sit within this office, including reporting. Context Two out of four students selected for testing. Effect Failure to report status changes timely is noncompliance with Federal regulation and could result in loss of future funding. Recommendation We recommend the Institute improve internal controls in order to report any status changes to the NSLDS timely and accurately. Views of Responsible Officials We agree with this finding. See corrective action plan. Finding 2023-002—Enrollment Reporting Repeat Finding: Yes Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal Award Year 2022-2023 Condition For two out of four students tested (50%) who withdrew from the Institute, the students’ enrollment status reported to the National Student Loan Data System (NSLDS) did not match the institution’s records. Criteria CFR section 685.309 and 690.83(b)(2) requires the Institute to notify the NSLDS within 30 days of a change in student status or include the change in status in a response to an enrollment reporting roster within 60 days of the student’s date of determination of withdrawal. 2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure accurate reporting of enrollment status changes. Questioned Costs There were no questioned costs related to testing of enrollment reporting. Cause Between 2022 and 2023, the Registration & Records office at Erikson experienced significant staff turnover, which revealed underlying vulnerabilities. Initially, there was a reorganization of the entire enrollment management function. During this time, a key office member was out for extended periods of time under FMLA prior to resigning in spring 2023. This staffing shortage led to delays in registration functions related to reporting to the NSLDS that sit within this office, including reporting. Context Two out of four students selected for testing. Effect Failure to report status changes timely is noncompliance with Federal regulation and could result in loss of future funding. Recommendation We recommend the Institute improve internal controls in order to report any status changes to the NSLDS timely and accurately. Views of Responsible Officials We agree with this finding. See corrective action plan.
Finding 2023-003
Finding 2023-003—Cash Management—Excess Cash Repeat Finding: No Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal Award Year 2022-2023 Condition During our cash management testing, we identified the following instances of excess cash: • The Institute had three instances of return of funds that resulted in excess cash for Federal Direct Student Loans ranging from $94 to $46,049 during the period of September 19, 2022 through November 29, 2022. In these situations, the excess cash amounts, being less than one percent of total prior year drawdowns, were not returned within a seven day tolerance period, as outlined below.   Criteria Uniform Grant Guidance (34 CFR 668.166) states the Secretary considers excess cash to be any amount of title IV, HEA program funds, other than Federal Perkins Loan program funds, that an institution does not disburse to students by the end of the third business day following the date the institution (1) received those funds from the Secretary; or (2) deposited or transferred to its depository account previously disbursed title IV, HEA program funds, such as those resulting from awards adjustments, recoveries, or cancellations. An institution may maintain for up to seven days an amount of excess cash that does not exceed one percent of the total amount of funds the institution drew down in the prior award year. The institution must return immediately to the Secretary any amount of excess cash over the one-percent tolerance and any amount of excess cash remaining in its account after the seven-day tolerance period. Uniform Grant Guidance (2 CFR 200.303) requires nonfederal entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure excess cash is properly handled. Questioned Costs There were no questioned costs related to testing of excess cash. Cause During this period of time, Erikson was without a Student Bursar due to a resignation in September 2022. The Student Bursar is responsible for requesting and monitoring the return of federal funds. With the staff transition there was a gap in monitoring cash management procedures. In December 2022 all excess cash was returned. A new Student Bursar was hired in November 2022 and onboarding included comprehensive federal funds cash management training with an outside consultant. Context Ranging from $94 - $46,049 during the period from Sept 19 – Nov 29. Effect Excess cash is noncompliance with Federal regulation and could result in the loss of future funding. Recommendation We recommend the Institute review current processes for monitoring cash management and implement procedures that eliminate excess cash. Views of Responsible Officials We agree with this finding. See corrective action plan.