FAC Explorer

Audit 298956

FY End
2023-06-30
Total Expended
$8.86M
Findings
18
Programs
27
Organization: The Colorado College and Subsidiaries (CO)
Year: 2023 Accepted: 2024-03-27
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
386628 2023-001 Significant Deficiency - E
386629 2023-002 Significant Deficiency Yes N
386630 2023-002 Significant Deficiency Yes N
386631 2023-003 Significant Deficiency - N
386632 2023-003 Significant Deficiency - N
386633 2023-003 Significant Deficiency - N
386634 2023-003 Significant Deficiency - N
386635 2023-003 Significant Deficiency - N
386636 2023-004 Significant Deficiency - N
963070 2023-001 Significant Deficiency - E
963071 2023-002 Significant Deficiency Yes N
963072 2023-002 Significant Deficiency Yes N
963073 2023-003 Significant Deficiency - N
963074 2023-003 Significant Deficiency - N
963075 2023-003 Significant Deficiency - N
963076 2023-003 Significant Deficiency - N
963077 2023-003 Significant Deficiency - N
963078 2023-004 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Loans $4.87M Yes 2
84.063 Federal Pell Grant Program $1.69M Yes 3
84.038 Federal Perkins Loans $1.21M Yes 2
84.033 Federal Work-Study Program $230,509 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $223,867 Yes 1
47.049 Nsf: Leaps Malmskog $122,091 - 0
47.049 Nsf: Leaps Light $104,092 - 0
47.070 Nsf: Burge Cise $61,731 - 0
47.050 Nsf: Grtaz Mercury Oxid Pat $57,892 - 0
47.078 Nsf: Ici-Hot in West Antarctica $49,118 - 0
47.050 Nsf: Firp - Gratz Course $46,463 - 0
47.050 Nsf: Testing Models-Sibumas $37,177 - 0
43.001 Nasa: Stsci: Radiation Field of Li(n)ers: the Milky Way As An Extragalactic System $23,194 - 0
47.074 Nsf: Barnes Career $21,418 - 0
93.575 Child Care Operations Stabilizations Grant $19,660 - 0
47.078 Nsf: Testing the Linchpin Wais $18,837 - 0
47.076 Nsf: Progress; Barnes Iuse Mentoring $15,524 - 0
43.001 Nasa: Stsci: the Lmc's Galactic Wind Through the Eyes of Ullyses $15,450 - 0
47.050 Nsf: Gevedon Rodingites $13,648 - 0
47.050 Nsf: Schanz Bedrock Rivers $11,943 - 0
47.049 Nsf: Sub: Moran Geometric Top $6,815 - 0
43.001 Nasa: Stsci: Testing the Limits of Mass Transfer Stability with A Post-Mass_transfer Binary in M67 $4,961 - 0
93.575 Child Care Workforce Sustainability Grant $3,566 - 0
47.050 Nsf: Collab Res Recruit Woman Geoscience $717 - 0
47.074 Nsf: Barnes Soil & Wildfire $363 - 0
43.001 Nasa: Blue Lurkers: Low-Mass Blue Stragglers & Stability of Mass Transfer $269 - 0
47.049 Nsf: Leaps2; Part Suppo Malmskog $-784 - 0

Contacts

Name Title Type
VADVPKVXRVW3 Lori Seager Auditee
7193896953 Jean Bushong Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts, if any, shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. The College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of The Colorado College (the College) under programs of the federal government for the year ended June 30, 2023. The information in this Schedule is presented in accordance with the requirements of 2 CFR Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the College.
Title: FEDERAL STUDENT LOAN PROGRAMS Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts, if any, shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. The College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The federal student loan programs listed subsequently are administered directly by the College, and balances and transactions relating to these programs are included in the College’s basic financial statements. Loans outstanding at the beginning of the year and loans made during the year are included in the federal expenditures presented in the Schedule. The balance of loans outstanding at June 30, 2023 consists of: Program Title Federal Perkins Loan Program Assistance Listing Number 84.038 Amount Outstanding $855,286
Title: SUBRECIPIENTS Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts, if any, shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. The College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. There were no amounts to report on the Schedule that were passed through to subrecipients.

Finding Details

Finding 2023-001
Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 690.62 states the Pell grant for an academic year is based upon the payment and disbursement schedule published by the Secretary for each award year. The payment schedule takes into account the cost of attendance, the student’s expected family contribution (EFC) and the enrollment status of the student. Condition: One of forty students tested was underawarded Pell grant funds. Context: An erroneous computation of the student’s eligibility resulted in an underaward. Questioned costs: Known - $401. Likely - $7,953 Cause: The Pell grant was computed utilizing an outdated Pell schedule that had not been updated before awarding was locked. Effect: A student was underawarded Pell funds. Repeat Finding: No Recommendation: We recommend the College evaluate its procedures and policies around Pell grant awarding to ensure all Pell funds are awarded at proper amounts. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-002
Criteria or specific requirement: Per 34 CFR 685.309(b)(2)(i), and as outlined in the OMB Compliance Supplement Part 5, enrollment information related to a change in status must be reported to the National Student Loan Database System (NSLDS) within 15 days whenever attendance status changes for students, unless a roster will be submitted within 60 days. Condition: During testing of underlying enrollment information, we identified the following: • One student’s status change was not submitted to the NSLDS within 60 days. Context: We tested a sample of 20 students. Of the 20 students, we noted one student had the exception noted above. Questioned costs: None. Cause: Per discussion with the College, the College submitted all degree students to their third-party servicer via a file that was processed on June 22, 2023. It was unknown by the College why the third-party servicer did not process certain students appropriately which caused them not to be reported to NSLDS in a timely manner. Effect: The College is out of compliance with National Student Loan Database System (NSLDS) reporting requirements. Repeat Finding: Yes. See 2022-002 in the summary schedule of prior audit findings. Recommendation: We recommend the College evaluate its procedures and policies around reporting to NSLDS, including oversight and inquiry of the third-party servicer, to ensure that student information is reported accurately and timely. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-002
Criteria or specific requirement: Per 34 CFR 685.309(b)(2)(i), and as outlined in the OMB Compliance Supplement Part 5, enrollment information related to a change in status must be reported to the National Student Loan Database System (NSLDS) within 15 days whenever attendance status changes for students, unless a roster will be submitted within 60 days. Condition: During testing of underlying enrollment information, we identified the following: • One student’s status change was not submitted to the NSLDS within 60 days. Context: We tested a sample of 20 students. Of the 20 students, we noted one student had the exception noted above. Questioned costs: None. Cause: Per discussion with the College, the College submitted all degree students to their third-party servicer via a file that was processed on June 22, 2023. It was unknown by the College why the third-party servicer did not process certain students appropriately which caused them not to be reported to NSLDS in a timely manner. Effect: The College is out of compliance with National Student Loan Database System (NSLDS) reporting requirements. Repeat Finding: Yes. See 2022-002 in the summary schedule of prior audit findings. Recommendation: We recommend the College evaluate its procedures and policies around reporting to NSLDS, including oversight and inquiry of the third-party servicer, to ensure that student information is reported accurately and timely. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-003
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Act requires: • The information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • The institution design and implement safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The minimum safeguards that the written information security program must address are summarized as follows: o Conduct a periodic inventory of data, noting where it's collected, stored, or transmitted. o Assess apps developed by the institution. o Implement multi-factor authentication (MFA) for anyone accessing customer information on the institution's system. • The institution must regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During testing we noted the following exceptions: • Safeguards were not clearly linked in their policy. o The College did not document that it conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. o There was no evidence indicating a discussion to standardize the use of MFA for end users. • The College does not have a written risk management section of their information technology policies. • There was no written policy regarding program development and software practices in relation to sensitive information. • The College does not have a written policy that identifies continuous monitoring or control testing that takes place periodically. Context: We tested the requirements of GLBA by reviewing College policy and procedures. Questioned costs: None. Cause: The College did not have policies or procedures indicating their compliance with certain aspects of GLBA. Effect: The College did not comply with GLBA requirements. Repeat Finding: No Recommendation: We recommend the College update their IT policies and procedures to follow the guidelines outlined by the GLBA. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-003
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Act requires: • The information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • The institution design and implement safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The minimum safeguards that the written information security program must address are summarized as follows: o Conduct a periodic inventory of data, noting where it's collected, stored, or transmitted. o Assess apps developed by the institution. o Implement multi-factor authentication (MFA) for anyone accessing customer information on the institution's system. • The institution must regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During testing we noted the following exceptions: • Safeguards were not clearly linked in their policy. o The College did not document that it conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. o There was no evidence indicating a discussion to standardize the use of MFA for end users. • The College does not have a written risk management section of their information technology policies. • There was no written policy regarding program development and software practices in relation to sensitive information. • The College does not have a written policy that identifies continuous monitoring or control testing that takes place periodically. Context: We tested the requirements of GLBA by reviewing College policy and procedures. Questioned costs: None. Cause: The College did not have policies or procedures indicating their compliance with certain aspects of GLBA. Effect: The College did not comply with GLBA requirements. Repeat Finding: No Recommendation: We recommend the College update their IT policies and procedures to follow the guidelines outlined by the GLBA. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-003
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Act requires: • The information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • The institution design and implement safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The minimum safeguards that the written information security program must address are summarized as follows: o Conduct a periodic inventory of data, noting where it's collected, stored, or transmitted. o Assess apps developed by the institution. o Implement multi-factor authentication (MFA) for anyone accessing customer information on the institution's system. • The institution must regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During testing we noted the following exceptions: • Safeguards were not clearly linked in their policy. o The College did not document that it conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. o There was no evidence indicating a discussion to standardize the use of MFA for end users. • The College does not have a written risk management section of their information technology policies. • There was no written policy regarding program development and software practices in relation to sensitive information. • The College does not have a written policy that identifies continuous monitoring or control testing that takes place periodically. Context: We tested the requirements of GLBA by reviewing College policy and procedures. Questioned costs: None. Cause: The College did not have policies or procedures indicating their compliance with certain aspects of GLBA. Effect: The College did not comply with GLBA requirements. Repeat Finding: No Recommendation: We recommend the College update their IT policies and procedures to follow the guidelines outlined by the GLBA. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-003
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Act requires: • The information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • The institution design and implement safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The minimum safeguards that the written information security program must address are summarized as follows: o Conduct a periodic inventory of data, noting where it's collected, stored, or transmitted. o Assess apps developed by the institution. o Implement multi-factor authentication (MFA) for anyone accessing customer information on the institution's system. • The institution must regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During testing we noted the following exceptions: • Safeguards were not clearly linked in their policy. o The College did not document that it conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. o There was no evidence indicating a discussion to standardize the use of MFA for end users. • The College does not have a written risk management section of their information technology policies. • There was no written policy regarding program development and software practices in relation to sensitive information. • The College does not have a written policy that identifies continuous monitoring or control testing that takes place periodically. Context: We tested the requirements of GLBA by reviewing College policy and procedures. Questioned costs: None. Cause: The College did not have policies or procedures indicating their compliance with certain aspects of GLBA. Effect: The College did not comply with GLBA requirements. Repeat Finding: No Recommendation: We recommend the College update their IT policies and procedures to follow the guidelines outlined by the GLBA. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-003
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Act requires: • The information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • The institution design and implement safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The minimum safeguards that the written information security program must address are summarized as follows: o Conduct a periodic inventory of data, noting where it's collected, stored, or transmitted. o Assess apps developed by the institution. o Implement multi-factor authentication (MFA) for anyone accessing customer information on the institution's system. • The institution must regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During testing we noted the following exceptions: • Safeguards were not clearly linked in their policy. o The College did not document that it conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. o There was no evidence indicating a discussion to standardize the use of MFA for end users. • The College does not have a written risk management section of their information technology policies. • There was no written policy regarding program development and software practices in relation to sensitive information. • The College does not have a written policy that identifies continuous monitoring or control testing that takes place periodically. Context: We tested the requirements of GLBA by reviewing College policy and procedures. Questioned costs: None. Cause: The College did not have policies or procedures indicating their compliance with certain aspects of GLBA. Effect: The College did not comply with GLBA requirements. Repeat Finding: No Recommendation: We recommend the College update their IT policies and procedures to follow the guidelines outlined by the GLBA. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-004
Criteria or specific requirement: Code of Federal Regulations 2 CFR 200.303 Title 34, Subtitle B, Chapter VI, Part 674.19 requires that in administering its Federal Perkins Loan program, an institution shall establish and maintain an internal control system of checks and balances that ensures that no office can both authorize payments and disburse funds to students. When an institution uses a third-party servicer for its Perkins Loan program, the institution must perform due diligence to ensure that the third-party service is in compliance with the requirements for the functions the third-party servicer is performing for the institution. Such due diligence could include obtaining and reviewing the third-party servicer’s most recent Title IV compliance audit. Condition: The College utilizes a third-party service provider for Perkins Loan servicing. Federal regulations require the institution to perform due diligence on the third-party servicer to ensure they are following federal regulations. The College did not perform their due diligence for fiscal year 2023. Context: The due diligence typically performed by the College is the review of the third-party servicer’s compliance report. However, the third-party servicer was delated in having this report issued. The College did not have an alternate plan for performing due diligence over the third-party servicer. Questioned costs: None. Cause: The third-party servicer did not have their Title IV compliance audit report completed for the year ending June 30, 2023, so that the College could perform their required due diligence on the third-party servicer and the College did not have an alternate plan established. Effect: The College did not perform due diligence to ensure that the third-party service is in compliance with the requirements for the functions the third-party servicer is performing for the institution. Repeat Finding: No Recommendation: We recommend the College implement a procedure with the third-party servicer to ensure that their Title IV compliance report is completed timely or develop other due diligence procedures to meet the federal regulations. Views of responsible officials and management’s response: There is no disagreement with the audit finding.
Finding 2023-001
Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 690.62 states the Pell grant for an academic year is based upon the payment and disbursement schedule published by the Secretary for each award year. The payment schedule takes into account the cost of attendance, the student’s expected family contribution (EFC) and the enrollment status of the student. Condition: One of forty students tested was underawarded Pell grant funds. Context: An erroneous computation of the student’s eligibility resulted in an underaward. Questioned costs: Known - $401. Likely - $7,953 Cause: The Pell grant was computed utilizing an outdated Pell schedule that had not been updated before awarding was locked. Effect: A student was underawarded Pell funds. Repeat Finding: No Recommendation: We recommend the College evaluate its procedures and policies around Pell grant awarding to ensure all Pell funds are awarded at proper amounts. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-002
Criteria or specific requirement: Per 34 CFR 685.309(b)(2)(i), and as outlined in the OMB Compliance Supplement Part 5, enrollment information related to a change in status must be reported to the National Student Loan Database System (NSLDS) within 15 days whenever attendance status changes for students, unless a roster will be submitted within 60 days. Condition: During testing of underlying enrollment information, we identified the following: • One student’s status change was not submitted to the NSLDS within 60 days. Context: We tested a sample of 20 students. Of the 20 students, we noted one student had the exception noted above. Questioned costs: None. Cause: Per discussion with the College, the College submitted all degree students to their third-party servicer via a file that was processed on June 22, 2023. It was unknown by the College why the third-party servicer did not process certain students appropriately which caused them not to be reported to NSLDS in a timely manner. Effect: The College is out of compliance with National Student Loan Database System (NSLDS) reporting requirements. Repeat Finding: Yes. See 2022-002 in the summary schedule of prior audit findings. Recommendation: We recommend the College evaluate its procedures and policies around reporting to NSLDS, including oversight and inquiry of the third-party servicer, to ensure that student information is reported accurately and timely. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-002
Criteria or specific requirement: Per 34 CFR 685.309(b)(2)(i), and as outlined in the OMB Compliance Supplement Part 5, enrollment information related to a change in status must be reported to the National Student Loan Database System (NSLDS) within 15 days whenever attendance status changes for students, unless a roster will be submitted within 60 days. Condition: During testing of underlying enrollment information, we identified the following: • One student’s status change was not submitted to the NSLDS within 60 days. Context: We tested a sample of 20 students. Of the 20 students, we noted one student had the exception noted above. Questioned costs: None. Cause: Per discussion with the College, the College submitted all degree students to their third-party servicer via a file that was processed on June 22, 2023. It was unknown by the College why the third-party servicer did not process certain students appropriately which caused them not to be reported to NSLDS in a timely manner. Effect: The College is out of compliance with National Student Loan Database System (NSLDS) reporting requirements. Repeat Finding: Yes. See 2022-002 in the summary schedule of prior audit findings. Recommendation: We recommend the College evaluate its procedures and policies around reporting to NSLDS, including oversight and inquiry of the third-party servicer, to ensure that student information is reported accurately and timely. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-003
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Act requires: • The information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • The institution design and implement safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The minimum safeguards that the written information security program must address are summarized as follows: o Conduct a periodic inventory of data, noting where it's collected, stored, or transmitted. o Assess apps developed by the institution. o Implement multi-factor authentication (MFA) for anyone accessing customer information on the institution's system. • The institution must regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During testing we noted the following exceptions: • Safeguards were not clearly linked in their policy. o The College did not document that it conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. o There was no evidence indicating a discussion to standardize the use of MFA for end users. • The College does not have a written risk management section of their information technology policies. • There was no written policy regarding program development and software practices in relation to sensitive information. • The College does not have a written policy that identifies continuous monitoring or control testing that takes place periodically. Context: We tested the requirements of GLBA by reviewing College policy and procedures. Questioned costs: None. Cause: The College did not have policies or procedures indicating their compliance with certain aspects of GLBA. Effect: The College did not comply with GLBA requirements. Repeat Finding: No Recommendation: We recommend the College update their IT policies and procedures to follow the guidelines outlined by the GLBA. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-003
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Act requires: • The information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • The institution design and implement safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The minimum safeguards that the written information security program must address are summarized as follows: o Conduct a periodic inventory of data, noting where it's collected, stored, or transmitted. o Assess apps developed by the institution. o Implement multi-factor authentication (MFA) for anyone accessing customer information on the institution's system. • The institution must regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During testing we noted the following exceptions: • Safeguards were not clearly linked in their policy. o The College did not document that it conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. o There was no evidence indicating a discussion to standardize the use of MFA for end users. • The College does not have a written risk management section of their information technology policies. • There was no written policy regarding program development and software practices in relation to sensitive information. • The College does not have a written policy that identifies continuous monitoring or control testing that takes place periodically. Context: We tested the requirements of GLBA by reviewing College policy and procedures. Questioned costs: None. Cause: The College did not have policies or procedures indicating their compliance with certain aspects of GLBA. Effect: The College did not comply with GLBA requirements. Repeat Finding: No Recommendation: We recommend the College update their IT policies and procedures to follow the guidelines outlined by the GLBA. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-003
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Act requires: • The information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • The institution design and implement safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The minimum safeguards that the written information security program must address are summarized as follows: o Conduct a periodic inventory of data, noting where it's collected, stored, or transmitted. o Assess apps developed by the institution. o Implement multi-factor authentication (MFA) for anyone accessing customer information on the institution's system. • The institution must regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During testing we noted the following exceptions: • Safeguards were not clearly linked in their policy. o The College did not document that it conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. o There was no evidence indicating a discussion to standardize the use of MFA for end users. • The College does not have a written risk management section of their information technology policies. • There was no written policy regarding program development and software practices in relation to sensitive information. • The College does not have a written policy that identifies continuous monitoring or control testing that takes place periodically. Context: We tested the requirements of GLBA by reviewing College policy and procedures. Questioned costs: None. Cause: The College did not have policies or procedures indicating their compliance with certain aspects of GLBA. Effect: The College did not comply with GLBA requirements. Repeat Finding: No Recommendation: We recommend the College update their IT policies and procedures to follow the guidelines outlined by the GLBA. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-003
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Act requires: • The information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • The institution design and implement safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The minimum safeguards that the written information security program must address are summarized as follows: o Conduct a periodic inventory of data, noting where it's collected, stored, or transmitted. o Assess apps developed by the institution. o Implement multi-factor authentication (MFA) for anyone accessing customer information on the institution's system. • The institution must regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During testing we noted the following exceptions: • Safeguards were not clearly linked in their policy. o The College did not document that it conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. o There was no evidence indicating a discussion to standardize the use of MFA for end users. • The College does not have a written risk management section of their information technology policies. • There was no written policy regarding program development and software practices in relation to sensitive information. • The College does not have a written policy that identifies continuous monitoring or control testing that takes place periodically. Context: We tested the requirements of GLBA by reviewing College policy and procedures. Questioned costs: None. Cause: The College did not have policies or procedures indicating their compliance with certain aspects of GLBA. Effect: The College did not comply with GLBA requirements. Repeat Finding: No Recommendation: We recommend the College update their IT policies and procedures to follow the guidelines outlined by the GLBA. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-003
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Act requires: • The information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). • The institution design and implement safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The minimum safeguards that the written information security program must address are summarized as follows: o Conduct a periodic inventory of data, noting where it's collected, stored, or transmitted. o Assess apps developed by the institution. o Implement multi-factor authentication (MFA) for anyone accessing customer information on the institution's system. • The institution must regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During testing we noted the following exceptions: • Safeguards were not clearly linked in their policy. o The College did not document that it conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted. o There was no evidence indicating a discussion to standardize the use of MFA for end users. • The College does not have a written risk management section of their information technology policies. • There was no written policy regarding program development and software practices in relation to sensitive information. • The College does not have a written policy that identifies continuous monitoring or control testing that takes place periodically. Context: We tested the requirements of GLBA by reviewing College policy and procedures. Questioned costs: None. Cause: The College did not have policies or procedures indicating their compliance with certain aspects of GLBA. Effect: The College did not comply with GLBA requirements. Repeat Finding: No Recommendation: We recommend the College update their IT policies and procedures to follow the guidelines outlined by the GLBA. Views of responsible officials and management’s response: The College agrees with the finding.
Finding 2023-004
Criteria or specific requirement: Code of Federal Regulations 2 CFR 200.303 Title 34, Subtitle B, Chapter VI, Part 674.19 requires that in administering its Federal Perkins Loan program, an institution shall establish and maintain an internal control system of checks and balances that ensures that no office can both authorize payments and disburse funds to students. When an institution uses a third-party servicer for its Perkins Loan program, the institution must perform due diligence to ensure that the third-party service is in compliance with the requirements for the functions the third-party servicer is performing for the institution. Such due diligence could include obtaining and reviewing the third-party servicer’s most recent Title IV compliance audit. Condition: The College utilizes a third-party service provider for Perkins Loan servicing. Federal regulations require the institution to perform due diligence on the third-party servicer to ensure they are following federal regulations. The College did not perform their due diligence for fiscal year 2023. Context: The due diligence typically performed by the College is the review of the third-party servicer’s compliance report. However, the third-party servicer was delated in having this report issued. The College did not have an alternate plan for performing due diligence over the third-party servicer. Questioned costs: None. Cause: The third-party servicer did not have their Title IV compliance audit report completed for the year ending June 30, 2023, so that the College could perform their required due diligence on the third-party servicer and the College did not have an alternate plan established. Effect: The College did not perform due diligence to ensure that the third-party service is in compliance with the requirements for the functions the third-party servicer is performing for the institution. Repeat Finding: No Recommendation: We recommend the College implement a procedure with the third-party servicer to ensure that their Title IV compliance report is completed timely or develop other due diligence procedures to meet the federal regulations. Views of responsible officials and management’s response: There is no disagreement with the audit finding.