FAC Explorer

Audit 298663

FY End
2023-06-30
Total Expended
$25.54M
Findings
2
Programs
9
Organization: Upper Iowa University (IA)
Year: 2023 Accepted: 2024-03-27
Auditor: Baker Tilly US LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
386239 2023-001 - - N
962681 2023-001 - - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $19.80M Yes 0
84.063 Federal Pell Grant Program $4.93M Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $241,491 Yes 0
47.076 Stem Education $199,134 - 0
84.033 Federal Work-Study Program $177,418 Yes 0
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $84,637 Yes 0
66.951 Environmental Education Grants $57,563 - 0
16.525 Grants to Reduce Domestic Violence, Dating Violence, Sexual Assault, and Stalking on Campus $26,150 - 0
84.038 Federal Perkins Loan Program $23,506 Yes 0

Contacts

Name Title Type
RC6QXW77MA38 Stacie Burington Auditee
8005534150 Nicki Donlon Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: 2 CFR 200.510(b)(6) De Minimis Rate Used: N Rate Explanation: N/A The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Upper Iowa University under programs of the federal government for the year ended June 30, 2023. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the University, it is not intended to and does not present the financial position, changes in net assets or cash flows of the University.
Title: Summary of Significant Accounting Policies Accounting Policies: 2 CFR 200.510(b)(6) De Minimis Rate Used: N Rate Explanation: N/A Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement.
Title: Indirect Cost Rate Accounting Policies: 2 CFR 200.510(b)(6) De Minimis Rate Used: N Rate Explanation: N/A The University has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance.
Title: Federal Perkins Loan Program Accounting Policies: 2 CFR 200.510(b)(6) De Minimis Rate Used: N Rate Explanation: N/A The Federal Perkins Loan Program (ALN 84.038) is administered directly by the University, and balances and transactions relating to this program are included in the University’s basic consolidated financial statements. Loans outstanding at the beginning of the year and loans made during the year are included in the federal expenditures presented in the Schedule. Federal Perkins loans outstanding at June 30, 2023 totaled $0 as the University liquidated their portfolio of loans during the year.
Title: Federal Perkins Loan Program Liquidation Accounting Policies: 2 CFR 200.510(b)(6) De Minimis Rate Used: N Rate Explanation: N/A In fiscal 2023, the University elected to cease participation in the Perkins Loan Program. The fiscal year 2023 Single Audit included testing of the Federal Perkins Loan liquidation compliance requirements and the University properly performed end-of-participation procedures in accordance with the OMB Compliance Supplement.

Finding Details

Finding 2023-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The University does not have a written information security program that addresses all elements that apply. Cause: The University did not have procedures and processes in place specific to GLBA and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the University at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: The University should perform and document an annual risk assessment to determine the University's specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the University should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The cause of the reported issue stems from the lack of written documentation of policies and procedures specific to GLBA requirements. The issue is being addressed by the Director of Information Technology and a campus-wide committee overseeing information security. The documented information security program has been drafted and will address the GLBA cybersecurity requirements.
Finding 2023-001
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The University does not have a written information security program that addresses all elements that apply. Cause: The University did not have procedures and processes in place specific to GLBA and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the University at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: The University should perform and document an annual risk assessment to determine the University's specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the University should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The cause of the reported issue stems from the lack of written documentation of policies and procedures specific to GLBA requirements. The issue is being addressed by the Director of Information Technology and a campus-wide committee overseeing information security. The documented information security program has been drafted and will address the GLBA cybersecurity requirements.