FAC Explorer

Audit 299031

FY End
2023-06-30
Total Expended
$27.59M
Findings
12
Programs
14
Organization: Alverno College (WI)
Year: 2023 Accepted: 2024-03-28
Auditor: Baker Tilly US LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
386725 2023-001 Significant Deficiency - N
386726 2023-001 Significant Deficiency - N
386727 2023-001 Significant Deficiency - N
386728 2023-001 Significant Deficiency - N
386729 2023-001 Significant Deficiency - N
386730 2023-001 Significant Deficiency - N
963167 2023-001 Significant Deficiency - N
963168 2023-001 Significant Deficiency - N
963169 2023-001 Significant Deficiency - N
963170 2023-001 Significant Deficiency - N
963171 2023-001 Significant Deficiency - N
963172 2023-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $22.08M Yes 1
84.063 Federal Pell Grant Program $2.04M Yes 1
84.425 Education Stabilization Fund - Heerf Student Aid Portion $840,124 Yes 0
84.038 Federal Perkins Loan Program $593,940 Yes 1
84.425 Education Stabilization Fund - Heerf Institutional Aid Portion $506,694 Yes 0
84.033 Federal Work-Study Program $450,585 Yes 1
84.031 Higher Education_institutional Aid $313,693 - 0
47.076 Education and Human Resources $241,568 - 0
84.184 Safe and Drug-Free Schools and Communities_national Programs $203,741 - 0
84.007 Federal Supplemental Educational Opportunity Grants $128,175 Yes 1
47.074 Biological Sciences $105,014 - 0
10.223 Hispanic Serving Institutions Education Grants $46,850 - 0
84.335 Child Care Access Means Parents in School $44,994 - 0
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $5,603 Yes 1

Contacts

Name Title Type
WCMLW2MWGPZ4 Dawn Peterson Auditee
4143826127 Ryan Lay Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: Expenditures reported on the Schedules are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedules represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The accompanying schedules of expenditures of federal and state awards (the Schedules) includes federal and state award activity of Alverno College (the College) under programs of the federal and state governments for the year ended June 30, 2023. The information in these Schedules is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) and the State Single Audit Guidelines. Because these Schedules present only a selected portion of the operations of the College, it is not intended to and does not present the financial position, changes in net assets or cash flows of the College.
Title: Federal Student Loan Program Accounting Policies: Expenditures reported on the Schedules are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedules represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The Federal Perkins Loan Program is administered directly by the College, and balances and transactions relating to this program are included in loans to students in the College's financial statements. Loans outstanding at the beginning of the year and loans made during the year are included in the federal expenditures presented in the Schedules. The balance of loans outstanding at June 30, 2023 is $266,924. The Perkins Loan Program is ending and no additional loans are granted in the year ended June 30, 2023.

Finding Details

Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.
Finding 2023-001
Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.