FAC Explorer

Audit 298877

FY End
2023-06-30
Total Expended
$11.10M
Findings
4
Programs
17
Organization: Tohono O'Odham Community College (AZ)
Year: 2023 Accepted: 2024-03-27
Auditor: Keegan Linscott & Associates PC

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
386592 2023-001 Significant Deficiency - N
386593 2023-001 Significant Deficiency - N
963034 2023-001 Significant Deficiency - N
963035 2023-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.425 Education Stabilization Fund $2.23M Yes 0
84.063 Federal Pell Grant Program $1.65M Yes 1
84.031 Higher Education_institutional Aid $625,000 Yes 0
15.027 Assistance to Tribally Controlled Community Colleges and Universities $277,779 Yes 0
47.076 Education and Human Resources $248,982 - 0
10.222 Tribal Colleges Endowment Program $111,387 - 0
15.028 Tribally Controlled Community College Endowments $103,953 - 0
93.612 Native American Programs $68,394 - 0
10.221 Tribal Colleges Education Equity Grants $67,838 - 0
10.517 Tribal Colleges Extension Programs $25,255 - 0
11.028 Connecting Minority Communities Pilot Program $19,592 - 0
84.007 Federal Supplemental Educational Opportunity Grants $18,253 Yes 1
10.766 Community Facilities Loans and Grants $16,943 - 0
15.026 Indian Adult Education $5,285 - 0
93.587 Promote the Survival and Continuing Vitality of Native American Languages $2,531 - 0
45.164 Promotion of the Humanities_public Programs $2,307 - 0
15.024 Indian Self-Determination Contract Support $1,516 - 0

Contacts

Name Title Type
C2QYJSTXRCN9 Joann Miguel Auditee
5203830025 Melissa Seida Auditor
No contacts on file

Notes to SEFA

Title: 1. Basis of Presentation Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The Organization has not elected to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the “Schedule”) includes the federal award activity of the Organization under programs of the federal government for the year ended June 30, 2023. The information in this Schedule is presented in accordance with the requirements of the Uniform Guidance. Because the Schedule presents only a selected portion of the operations of the Organization, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the Organization.
Title: 2. Summary of Significant Accounting Policies Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The Organization has not elected to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years.
Title: 3. Endowment Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The Organization has not elected to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The Organization has $103,953 of restricted endowment moneys as of June 30, 2023. 2 CFR Part 200.502(e) states the cumulative balance of Federal awards for endowment funds that are federally restricted are considered Federal awards expended in each audit period in which the funds are still restricted. Given this, $103,953 is considered expended and is shown on the schedule of expenditures of federal awards under ALN 15.028 Tribally Controlled Community College Endowments.
Title: 4. Indirect Cost rate Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The Organization has not elected to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The Organization has not elected to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance.

Finding Details

Finding 2023-001
Special Tests and Provisions: Gramm-Leach-Bliley Act Student Information Security (Significant Deficiency) and Compliance Federal Agency: U.S. Department of Education (“ED”) Program Title: Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program Assistance Listing Numbers: 84.007, 84.063 Federal Award Source: Direct funding Pass-Through Entity: N/A Pass-Through Identifying Number: N/A Criteria – Title IV-eligible institutions are subject to the Gramm-Leach-Bliley Act (the “Act”). The Act requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Act because they appear to be significantly engaged in wiring funds to consumers. Institutions agree to comply with the Act in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs. Institutions are required to be in compliance with the Act’s requirements by June 9, 2023. Institutions are required to develop, implement and maintain a written comprehensive information security program that addresses seven required elements, including the design and implementation of several key safeguards. One of these safeguards is the implementation of multi-factor authentication for anyone accessing customer information on the institution’s system. Condition and Context – During our testing of special tests and provisions related to the Act, auditor obtained the Organization’s written information security program, made inquiries with the Organization’s management and qualified individual responsible for overseeing, implementing and enforcing the Organization’s information security program, and noted multi-factor authentication was not implemented for the Organization’s general ledger system, Jenzabar, nor its student financial aid software, PowerFAIDS, both of which contain sensitive customer information. In addition, a reasonable equivalent to multi-factor authentication was not implemented. Lastly, the written information security program was not implemented by the June 9, 2023 deadline. Cause and Effect – Per our discussions with the Organization’s qualified individual responsible for overseeing, implementing and enforcing the Organization’s information security program, it was noted that configuration of multi-factor authentication is currently not available for the versions of Jenzabar and PowerFAIDS the Organization has and the Organization has had discussions with one of the software providers thereto. However, due to the lack of multi-factor authentication, there is an increased risk of unauthorized access to sensitive student information. Questioned Costs - None identified. Recommendation - We recommend that the Organization implement multi-factor authentication, or a reasonable equivalent as allowed by the Act, for its computer software programs containing sensitive customer information, Jenzabar and PowerFAIDS. View of Responsible Officials - We agree with the finding and are in the process of developing multi-factor authentication, or a reasonable equivalent, for our computer software programs containing sensitive customer information, Jenzabar and PowerFAIDS. See our Corrective Action Plan for the fiscal year ended June 30, 2023 for additional detail.
Finding 2023-001
Special Tests and Provisions: Gramm-Leach-Bliley Act Student Information Security (Significant Deficiency) and Compliance Federal Agency: U.S. Department of Education (“ED”) Program Title: Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program Assistance Listing Numbers: 84.007, 84.063 Federal Award Source: Direct funding Pass-Through Entity: N/A Pass-Through Identifying Number: N/A Criteria – Title IV-eligible institutions are subject to the Gramm-Leach-Bliley Act (the “Act”). The Act requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Act because they appear to be significantly engaged in wiring funds to consumers. Institutions agree to comply with the Act in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs. Institutions are required to be in compliance with the Act’s requirements by June 9, 2023. Institutions are required to develop, implement and maintain a written comprehensive information security program that addresses seven required elements, including the design and implementation of several key safeguards. One of these safeguards is the implementation of multi-factor authentication for anyone accessing customer information on the institution’s system. Condition and Context – During our testing of special tests and provisions related to the Act, auditor obtained the Organization’s written information security program, made inquiries with the Organization’s management and qualified individual responsible for overseeing, implementing and enforcing the Organization’s information security program, and noted multi-factor authentication was not implemented for the Organization’s general ledger system, Jenzabar, nor its student financial aid software, PowerFAIDS, both of which contain sensitive customer information. In addition, a reasonable equivalent to multi-factor authentication was not implemented. Lastly, the written information security program was not implemented by the June 9, 2023 deadline. Cause and Effect – Per our discussions with the Organization’s qualified individual responsible for overseeing, implementing and enforcing the Organization’s information security program, it was noted that configuration of multi-factor authentication is currently not available for the versions of Jenzabar and PowerFAIDS the Organization has and the Organization has had discussions with one of the software providers thereto. However, due to the lack of multi-factor authentication, there is an increased risk of unauthorized access to sensitive student information. Questioned Costs - None identified. Recommendation - We recommend that the Organization implement multi-factor authentication, or a reasonable equivalent as allowed by the Act, for its computer software programs containing sensitive customer information, Jenzabar and PowerFAIDS. View of Responsible Officials - We agree with the finding and are in the process of developing multi-factor authentication, or a reasonable equivalent, for our computer software programs containing sensitive customer information, Jenzabar and PowerFAIDS. See our Corrective Action Plan for the fiscal year ended June 30, 2023 for additional detail.
Finding 2023-001
Special Tests and Provisions: Gramm-Leach-Bliley Act Student Information Security (Significant Deficiency) and Compliance Federal Agency: U.S. Department of Education (“ED”) Program Title: Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program Assistance Listing Numbers: 84.007, 84.063 Federal Award Source: Direct funding Pass-Through Entity: N/A Pass-Through Identifying Number: N/A Criteria – Title IV-eligible institutions are subject to the Gramm-Leach-Bliley Act (the “Act”). The Act requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Act because they appear to be significantly engaged in wiring funds to consumers. Institutions agree to comply with the Act in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs. Institutions are required to be in compliance with the Act’s requirements by June 9, 2023. Institutions are required to develop, implement and maintain a written comprehensive information security program that addresses seven required elements, including the design and implementation of several key safeguards. One of these safeguards is the implementation of multi-factor authentication for anyone accessing customer information on the institution’s system. Condition and Context – During our testing of special tests and provisions related to the Act, auditor obtained the Organization’s written information security program, made inquiries with the Organization’s management and qualified individual responsible for overseeing, implementing and enforcing the Organization’s information security program, and noted multi-factor authentication was not implemented for the Organization’s general ledger system, Jenzabar, nor its student financial aid software, PowerFAIDS, both of which contain sensitive customer information. In addition, a reasonable equivalent to multi-factor authentication was not implemented. Lastly, the written information security program was not implemented by the June 9, 2023 deadline. Cause and Effect – Per our discussions with the Organization’s qualified individual responsible for overseeing, implementing and enforcing the Organization’s information security program, it was noted that configuration of multi-factor authentication is currently not available for the versions of Jenzabar and PowerFAIDS the Organization has and the Organization has had discussions with one of the software providers thereto. However, due to the lack of multi-factor authentication, there is an increased risk of unauthorized access to sensitive student information. Questioned Costs - None identified. Recommendation - We recommend that the Organization implement multi-factor authentication, or a reasonable equivalent as allowed by the Act, for its computer software programs containing sensitive customer information, Jenzabar and PowerFAIDS. View of Responsible Officials - We agree with the finding and are in the process of developing multi-factor authentication, or a reasonable equivalent, for our computer software programs containing sensitive customer information, Jenzabar and PowerFAIDS. See our Corrective Action Plan for the fiscal year ended June 30, 2023 for additional detail.
Finding 2023-001
Special Tests and Provisions: Gramm-Leach-Bliley Act Student Information Security (Significant Deficiency) and Compliance Federal Agency: U.S. Department of Education (“ED”) Program Title: Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program Assistance Listing Numbers: 84.007, 84.063 Federal Award Source: Direct funding Pass-Through Entity: N/A Pass-Through Identifying Number: N/A Criteria – Title IV-eligible institutions are subject to the Gramm-Leach-Bliley Act (the “Act”). The Act requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Act because they appear to be significantly engaged in wiring funds to consumers. Institutions agree to comply with the Act in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs. Institutions are required to be in compliance with the Act’s requirements by June 9, 2023. Institutions are required to develop, implement and maintain a written comprehensive information security program that addresses seven required elements, including the design and implementation of several key safeguards. One of these safeguards is the implementation of multi-factor authentication for anyone accessing customer information on the institution’s system. Condition and Context – During our testing of special tests and provisions related to the Act, auditor obtained the Organization’s written information security program, made inquiries with the Organization’s management and qualified individual responsible for overseeing, implementing and enforcing the Organization’s information security program, and noted multi-factor authentication was not implemented for the Organization’s general ledger system, Jenzabar, nor its student financial aid software, PowerFAIDS, both of which contain sensitive customer information. In addition, a reasonable equivalent to multi-factor authentication was not implemented. Lastly, the written information security program was not implemented by the June 9, 2023 deadline. Cause and Effect – Per our discussions with the Organization’s qualified individual responsible for overseeing, implementing and enforcing the Organization’s information security program, it was noted that configuration of multi-factor authentication is currently not available for the versions of Jenzabar and PowerFAIDS the Organization has and the Organization has had discussions with one of the software providers thereto. However, due to the lack of multi-factor authentication, there is an increased risk of unauthorized access to sensitive student information. Questioned Costs - None identified. Recommendation - We recommend that the Organization implement multi-factor authentication, or a reasonable equivalent as allowed by the Act, for its computer software programs containing sensitive customer information, Jenzabar and PowerFAIDS. View of Responsible Officials - We agree with the finding and are in the process of developing multi-factor authentication, or a reasonable equivalent, for our computer software programs containing sensitive customer information, Jenzabar and PowerFAIDS. See our Corrective Action Plan for the fiscal year ended June 30, 2023 for additional detail.