FAC Explorer

Audit 297875

FY End
2023-06-30
Total Expended
$19.01M
Findings
10
Programs
13
Organization: Milwaukee School of Engineering (WI)
Year: 2023 Accepted: 2024-03-26
Auditor: Baker Tilly US LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
384759 2023-001 Significant Deficiency - N
384760 2023-001 Significant Deficiency - N
384761 2023-001 Significant Deficiency - N
384762 2023-001 Significant Deficiency - N
384763 2023-001 Significant Deficiency - N
961201 2023-001 Significant Deficiency - N
961202 2023-001 Significant Deficiency - N
961203 2023-001 Significant Deficiency - N
961204 2023-001 Significant Deficiency - N
961205 2023-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $14.28M Yes 1
84.063 Federal Pell Grant Program $2.77M Yes 1
84.038 Federal Perkins Loan $702,240 Yes 1
84.033 Federal Work-Study Program $278,938 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $255,716 Yes 1
93.350 National Center for Advancing Translational Sciences $111,720 - 0
47.070 Computer and Information Science and Engineering $74,496 - 0
47.076 Education and Human Resources $36,434 - 0
47.041 Engineering $29,680 - 0
93.859 Biomedical Research and Research Training $21,040 - 0
93.394 Cancer Detection and Diagnosis Research $15,007 - 0
43.008 Education $11,492 - 0
84.126 Rehabilitation Services_vocational Rehabilitation Grants to States $3,933 - 0

Contacts

Name Title Type
M6RCJVHKTHJ5 Paul Matson Auditee
4142777126 Ryan J. Lay Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation and Oversight and Cognizant Agencies Accounting Policies: Expenditures reported on the Schedules are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown in the Schedules represent adjustment or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The University has an approved allowable indirect cost rate The accompanying schedules of expenditures of federal and state awards (the Schedules) include the federal and state award activity of Milwaukee School of Engineering (the University) under programs of the federal and state government for the year ended June 30, 2023. The information in these Schedules is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) and the State Single Audit Guidelines (Guidelines). For purposes of these Schedules, federal programs have been classified as follows: 1) Individual Programs and Other Clusters; 2) the Research and Development Program (R&D) Cluster, including R&D grants received directly from the federal government and R&D subgrants received from other organizations (pass-throughs); 3) the Student Financial Assistance Program (SFA) Cluster. Direct federal awards and subgrants are presented for each federal agency by the Assistance Listing Number (ALN) when available in the grant agreements or determinable based on a grant's source and purpose. Because these Schedules present only a select portion of the operations of the University, they are not intended to and do not present the consolidated financial position, consolidated changes in net assets or consolidated cash flows of the University. The University’s federal oversight agency for audit is the U.S. Department of Education. The University’s state cognizant agency is the Wisconsin Higher Educational Aids Board.
Title: Federal Student Loan Program Accounting Policies: Expenditures reported on the Schedules are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown in the Schedules represent adjustment or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The University has an approved allowable indirect cost rate The Federal Perkins loan program is administered directly by the University, and balances and transactions relating to this program are included in loans to students in the University’s consolidated financial statements. The beginning balance plus the loans made during the year are included in the federal expenditures presented in the Schedule. The balance of loans outstanding at June 30, 2023 is $544,684. The Extension Act amended section 461 of the Higher Education Act to end the University’s authority to make new Perkins Loans after June 30, 2018. The University is not required to assign the outstanding Perkins Loans to the Department or liquidate their Perkins Loan Revolving Funds due to the wind-down of the Perkins Loan Program, however, the University may choose to liquidate at any time in the future. As of June 30, 2023, the University continues to service the Perkins Loan Program.
Title: College Matching Funds Accounting Policies: Expenditures reported on the Schedules are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown in the Schedules represent adjustment or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The University has an approved allowable indirect cost rate The Schedule includes only federal and state awards expended for the various programs. The University is required to provide matching funds for certain federal programs. The total amount of matching funds provided by the University was $155,938 and $51,375 for federal and state programs, respectively, during fiscal year 2023.
Title: Administrative Cost Allowance Accounting Policies: Expenditures reported on the Schedules are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown in the Schedules represent adjustment or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The University has an approved allowable indirect cost rate The Student Financial Assistance Programs allowable expenditures for the fiscal year 2023 include amounts claimed for administrative costs of $3,000.
Title: Programs by Agency Accounting Policies: Expenditures reported on the Schedules are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown in the Schedules represent adjustment or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The University has an approved allowable indirect cost rate The University received the following federal awards by department: U.S. Department of Education $ 18,293,663 U.S. Department of Health and Human Services 204,510 National Aeronautics and Space Administration 24,889 National Science Foundation 491,432 Total federal awards $ 19,014,494

Finding Details

Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.