FAC Explorer

Audit 299972

FY End
2023-06-30
Total Expended
$13.02M
Findings
8
Programs
9
Organization: Dewey University Inc. (PR)
Year: 2023 Accepted: 2024-03-28
Auditor: Galindez LLC

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
388216 2023-001 Significant Deficiency - N
388217 2023-001 Significant Deficiency - N
388218 2023-001 Significant Deficiency - N
388219 2023-001 Significant Deficiency - N
964658 2023-001 Significant Deficiency - N
964659 2023-001 Significant Deficiency - N
964660 2023-001 Significant Deficiency - N
964661 2023-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.063 Federal Pell Grant Program $6.85M Yes 1
84.268 Federal Direct Student Loans $3.72M Yes 1
84.031C Higher Education_institutional Aid $742,571 - 0
84.425F Education Stabilization Fund $702,589 - 0
84.031S Higher Education_institutional Aid $623,992 - 0
84.007 Federal Supplemental Educational Opportunity Grants $120,323 Yes 1
84.033 Federal Work-Study Program $110,314 Yes 1
84.031M Higher Education_institutional Aid $109,513 - 0
84.116 Fund for the Improvement of Postsecondary Education $35,003 - 0

Contacts

Name Title Type
LFHNRRX5ZRK5 Mayra Vilanova Auditee
7877530039 Henry Flores Auditor
No contacts on file

Notes to SEFA

Title: Basis of presentation Accounting Policies: The Schedule is prepared from the University’s accounting records and is not intended to present its financial position or the results of its operations. The financial transactions are recorded by the University in accordance with the terms and conditions of the grants, which are consistent with accounting principles generally accepted in the United States of America. Expenditures are recognized in the accounting period in which the liability is incurred, if measurable or when actually paid, whichever occurs first. Expenditures are reported on the Schedule following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures may or may not be allowable or may be limited as to reimbursement. The University has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. The accompanying supplemental schedule of expenditures of federal awards (the Schedule) includes the federal grant activity of Dewey University, Inc. (the University) and is presented on the accrual basis of accounting. The information in the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Therefore, some amounts presented in the Schedule may differ from amounts presented in, or used, in the preparation of the University’s financial statements. Because the Schedule presents only a selected portion of the activities of the University, it is not intended to, and does not, present the financial position, changes in net assets, and cash flows of the University. Funds received for students’ financial assistance (principally, Pell Grant and Direct Loans) that are awarded directly to students for educational purposes are excluded from revenues and expenses. These grants are applied to the students’ tuition and fees, and any excess is paid to the students.
Title: Summary of significant accounting policies Accounting Policies: The Schedule is prepared from the University’s accounting records and is not intended to present its financial position or the results of its operations. The financial transactions are recorded by the University in accordance with the terms and conditions of the grants, which are consistent with accounting principles generally accepted in the United States of America. Expenditures are recognized in the accounting period in which the liability is incurred, if measurable or when actually paid, whichever occurs first. Expenditures are reported on the Schedule following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures may or may not be allowable or may be limited as to reimbursement. The University has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. The Schedule is prepared from the University’s accounting records and is not intended to present its financial position or the results of its operations. The financial transactions are recorded by the University in accordance with the terms and conditions of the grants, which are consistent with accounting principles generally accepted in the United States of America. Expenditures are recognized in the accounting period in which the liability is incurred, if measurable or when actually paid, whichever occurs first. Expenditures are reported on the Schedule following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures may or may not be allowable or may be limited as to reimbursement. The University has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance.
Title: Assistance Listing Number (ALN) Accounting Policies: The Schedule is prepared from the University’s accounting records and is not intended to present its financial position or the results of its operations. The financial transactions are recorded by the University in accordance with the terms and conditions of the grants, which are consistent with accounting principles generally accepted in the United States of America. Expenditures are recognized in the accounting period in which the liability is incurred, if measurable or when actually paid, whichever occurs first. Expenditures are reported on the Schedule following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures may or may not be allowable or may be limited as to reimbursement. The University has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. The ALN included in the Schedule are determined based on the program name, review of grant contract information and the public description of federal assistance listings published by the U.S. Government on sam.gov.
Title: Major federal programs Accounting Policies: The Schedule is prepared from the University’s accounting records and is not intended to present its financial position or the results of its operations. The financial transactions are recorded by the University in accordance with the terms and conditions of the grants, which are consistent with accounting principles generally accepted in the United States of America. Expenditures are recognized in the accounting period in which the liability is incurred, if measurable or when actually paid, whichever occurs first. Expenditures are reported on the Schedule following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures may or may not be allowable or may be limited as to reimbursement. The University has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. Major federal programs are identified in the Summary of Auditors’ Results Section in the Schedule of Findings and Questioned Costs. Federal programs are presented by federal agency.
Title: Accounting policies for loans and loan guarantees Accounting Policies: The Schedule is prepared from the University’s accounting records and is not intended to present its financial position or the results of its operations. The financial transactions are recorded by the University in accordance with the terms and conditions of the grants, which are consistent with accounting principles generally accepted in the United States of America. Expenditures are recognized in the accounting period in which the liability is incurred, if measurable or when actually paid, whichever occurs first. Expenditures are reported on the Schedule following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures may or may not be allowable or may be limited as to reimbursement. The University has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. The University participates in the Federal Direct Student Loans (Direct Loans) Program (ALN 84.268) of the U.S. Department of Education (USDE). Under the Direct Loans program, the University is responsible only for certain administrative duties, accordingly, the disbursements under the program and the outstanding loan balances are excluded from the financial statements of the University. However, Direct Loans are considered a component of the student financial assistance programs of the University, as such, new loans processed during the year ended June 30, 2023 amounting to $3,724,607 were included in the Schedule. Federal expenditures for Direct Loans are determined when loans are made to the students, accordingly, the balance of Direct Loans from previous years is not considered federal expenditures of the current year.

Finding Details

Finding 2023-001
Finding No. 2023-001 Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency U.S. Department of Education Pass-through Entity N/A Type of Finding Compliance Internal of Control Category Significant deficiency Compliance Requirement N. Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).Criteria – (continued) e) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Evidence of annual security report to those charge with governance 2. Vulnerability test 3. Disaster recovery plan 4. No backup test was performed during year ended June 30, 2023. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the institution’s information security program. As a result, some of the procedures and policies established in the information security program risk assessment have not been consistently or continuously maintained. Effect The student personal information could be vulnerable. In addition, the Department of Education (DE) has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received by the Department, they will refer the audit to the Federal Trade Commission (FTC). Once the finding is referred to the FTC, that finding will be considered closed for the Department’s audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding.” Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Identification of a repeat finding This is not a repeat finding. Recommendation We recommend that management implement policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of responsible officials and planned corrective actions The University’s management agrees with this finding. Please refer to the corrective action plan on pages 47-48.
Finding 2023-001
Finding No. 2023-001 Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency U.S. Department of Education Pass-through Entity N/A Type of Finding Compliance Internal of Control Category Significant deficiency Compliance Requirement N. Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).Criteria – (continued) e) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Evidence of annual security report to those charge with governance 2. Vulnerability test 3. Disaster recovery plan 4. No backup test was performed during year ended June 30, 2023. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the institution’s information security program. As a result, some of the procedures and policies established in the information security program risk assessment have not been consistently or continuously maintained. Effect The student personal information could be vulnerable. In addition, the Department of Education (DE) has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received by the Department, they will refer the audit to the Federal Trade Commission (FTC). Once the finding is referred to the FTC, that finding will be considered closed for the Department’s audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding.” Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Identification of a repeat finding This is not a repeat finding. Recommendation We recommend that management implement policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of responsible officials and planned corrective actions The University’s management agrees with this finding. Please refer to the corrective action plan on pages 47-48.
Finding 2023-001
Finding No. 2023-001 Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency U.S. Department of Education Pass-through Entity N/A Type of Finding Compliance Internal of Control Category Significant deficiency Compliance Requirement N. Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).Criteria – (continued) e) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Evidence of annual security report to those charge with governance 2. Vulnerability test 3. Disaster recovery plan 4. No backup test was performed during year ended June 30, 2023. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the institution’s information security program. As a result, some of the procedures and policies established in the information security program risk assessment have not been consistently or continuously maintained. Effect The student personal information could be vulnerable. In addition, the Department of Education (DE) has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received by the Department, they will refer the audit to the Federal Trade Commission (FTC). Once the finding is referred to the FTC, that finding will be considered closed for the Department’s audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding.” Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Identification of a repeat finding This is not a repeat finding. Recommendation We recommend that management implement policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of responsible officials and planned corrective actions The University’s management agrees with this finding. Please refer to the corrective action plan on pages 47-48.
Finding 2023-001
Finding No. 2023-001 Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency U.S. Department of Education Pass-through Entity N/A Type of Finding Compliance Internal of Control Category Significant deficiency Compliance Requirement N. Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).Criteria – (continued) e) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Evidence of annual security report to those charge with governance 2. Vulnerability test 3. Disaster recovery plan 4. No backup test was performed during year ended June 30, 2023. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the institution’s information security program. As a result, some of the procedures and policies established in the information security program risk assessment have not been consistently or continuously maintained. Effect The student personal information could be vulnerable. In addition, the Department of Education (DE) has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received by the Department, they will refer the audit to the Federal Trade Commission (FTC). Once the finding is referred to the FTC, that finding will be considered closed for the Department’s audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding.” Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Identification of a repeat finding This is not a repeat finding. Recommendation We recommend that management implement policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of responsible officials and planned corrective actions The University’s management agrees with this finding. Please refer to the corrective action plan on pages 47-48.
Finding 2023-001
Finding No. 2023-001 Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency U.S. Department of Education Pass-through Entity N/A Type of Finding Compliance Internal of Control Category Significant deficiency Compliance Requirement N. Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).Criteria – (continued) e) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Evidence of annual security report to those charge with governance 2. Vulnerability test 3. Disaster recovery plan 4. No backup test was performed during year ended June 30, 2023. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the institution’s information security program. As a result, some of the procedures and policies established in the information security program risk assessment have not been consistently or continuously maintained. Effect The student personal information could be vulnerable. In addition, the Department of Education (DE) has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received by the Department, they will refer the audit to the Federal Trade Commission (FTC). Once the finding is referred to the FTC, that finding will be considered closed for the Department’s audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding.” Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Identification of a repeat finding This is not a repeat finding. Recommendation We recommend that management implement policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of responsible officials and planned corrective actions The University’s management agrees with this finding. Please refer to the corrective action plan on pages 47-48.
Finding 2023-001
Finding No. 2023-001 Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency U.S. Department of Education Pass-through Entity N/A Type of Finding Compliance Internal of Control Category Significant deficiency Compliance Requirement N. Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).Criteria – (continued) e) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Evidence of annual security report to those charge with governance 2. Vulnerability test 3. Disaster recovery plan 4. No backup test was performed during year ended June 30, 2023. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the institution’s information security program. As a result, some of the procedures and policies established in the information security program risk assessment have not been consistently or continuously maintained. Effect The student personal information could be vulnerable. In addition, the Department of Education (DE) has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received by the Department, they will refer the audit to the Federal Trade Commission (FTC). Once the finding is referred to the FTC, that finding will be considered closed for the Department’s audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding.” Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Identification of a repeat finding This is not a repeat finding. Recommendation We recommend that management implement policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of responsible officials and planned corrective actions The University’s management agrees with this finding. Please refer to the corrective action plan on pages 47-48.
Finding 2023-001
Finding No. 2023-001 Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency U.S. Department of Education Pass-through Entity N/A Type of Finding Compliance Internal of Control Category Significant deficiency Compliance Requirement N. Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).Criteria – (continued) e) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Evidence of annual security report to those charge with governance 2. Vulnerability test 3. Disaster recovery plan 4. No backup test was performed during year ended June 30, 2023. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the institution’s information security program. As a result, some of the procedures and policies established in the information security program risk assessment have not been consistently or continuously maintained. Effect The student personal information could be vulnerable. In addition, the Department of Education (DE) has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received by the Department, they will refer the audit to the Federal Trade Commission (FTC). Once the finding is referred to the FTC, that finding will be considered closed for the Department’s audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding.” Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Identification of a repeat finding This is not a repeat finding. Recommendation We recommend that management implement policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of responsible officials and planned corrective actions The University’s management agrees with this finding. Please refer to the corrective action plan on pages 47-48.
Finding 2023-001
Finding No. 2023-001 Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency U.S. Department of Education Pass-through Entity N/A Type of Finding Compliance Internal of Control Category Significant deficiency Compliance Requirement N. Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).Criteria – (continued) e) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Evidence of annual security report to those charge with governance 2. Vulnerability test 3. Disaster recovery plan 4. No backup test was performed during year ended June 30, 2023. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the institution’s information security program. As a result, some of the procedures and policies established in the information security program risk assessment have not been consistently or continuously maintained. Effect The student personal information could be vulnerable. In addition, the Department of Education (DE) has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received by the Department, they will refer the audit to the Federal Trade Commission (FTC). Once the finding is referred to the FTC, that finding will be considered closed for the Department’s audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding.” Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Identification of a repeat finding This is not a repeat finding. Recommendation We recommend that management implement policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of responsible officials and planned corrective actions The University’s management agrees with this finding. Please refer to the corrective action plan on pages 47-48.