FAC Explorer

Audit 300046

FY End
2023-06-30
Total Expended
$39.47M
Findings
22
Programs
30
Organization: Governors State University (IL)
Year: 2023 Accepted: 2024-03-28
Auditor: Adelfia LLC

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
388265 2023-002 Significant Deficiency Yes N
388266 2023-003 Significant Deficiency - N
388267 2023-003 Significant Deficiency - N
388268 2023-003 Significant Deficiency - N
388269 2023-003 Significant Deficiency - N
388270 2023-003 Significant Deficiency - N
388271 2023-003 Significant Deficiency - N
388272 2023-003 Significant Deficiency - N
388273 2023-003 Significant Deficiency - N
388274 2023-004 Significant Deficiency - B
388275 2023-005 - - L
964707 2023-002 Significant Deficiency Yes N
964708 2023-003 Significant Deficiency - N
964709 2023-003 Significant Deficiency - N
964710 2023-003 Significant Deficiency - N
964711 2023-003 Significant Deficiency - N
964712 2023-003 Significant Deficiency - N
964713 2023-003 Significant Deficiency - N
964714 2023-003 Significant Deficiency - N
964715 2023-003 Significant Deficiency - N
964716 2023-004 Significant Deficiency - B
964717 2023-005 - - L

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $21.86M Yes 2
84.063 Federal Pell Grant Program $7.22M Yes 1
84.038 Federal Perkins Loan Program $2.47M Yes 1
84.425 Education Stabilization Fund $883,945 Yes 0
93.264 Nurse Faculty Loan Program (nflp) $622,305 Yes 1
93.925 Scholarships for Health Professions Students From Disadvantaged Backgrounds $576,000 Yes 1
93.575 Child Care and Development Block Grant $515,426 - 0
84.033 Federal Work-Study Program $503,715 Yes 1
93.732 Mental and Behavioral Health Education and Training Grants $346,490 - 0
84.066 Trio_educational Opportunity Centers $289,060 - 0
84.007 Federal Supplemental Educational Opportunity Grants $265,650 Yes 1
93.959 Block Grants for Prevention and Treatment of Substance Abuse $242,645 - 0
21.027 Coronavirus State and Local Fiscal Recovery Funds $200,614 - 0
11.020 Cluster Grants $172,623 - 0
10.558 Child and Adult Care Food Program $100,614 - 0
84.335 Child Care Access Means Parents in School $88,499 - 0
84.153 Business and International Education Projects $63,705 - 0
93.859 Biomedical Research and Research Training $57,089 - 0
84.016 Undergraduate International Studies and Foreign Language Programs $54,711 - 0
45.024 Promotion of the Arts_grants to Organizations and Individuals $45,000 - 0
93.243 Substance Abuse and Mental Health Services_projects of Regional and National Significance $40,307 - 0
84.116 Fund for the Improvement of Postsecondary Education $37,652 - 0
93.600 Head Start $28,224 Yes 0
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $25,930 Yes 1
59.075 Shuttered Venue Operators Grant Program $18,298 - 0
47.076 Education and Human Resources $15,822 - 0
84.220 Centers for International Business Education $11,285 - 0
93.077 Family Smoking Prevention and Tobacco Control Act Regulatory Research $8,682 - 0
16.835 Body Worn Camera Policy and Implementation $8,500 - 0
47.084 Nsf Technology, Innovation, and Partnerships $1,149 - 0

Contacts

Name Title Type
RZYSKTHWL384 Villalyn Baluga Auditee
7085344039 Stella Marie Santos Auditor
No contacts on file

Notes to SEFA

Title: NOTE 1 - BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. The accompanying Schedule of Expenditures of Federal Awards (Schedule) includes the federal grant activity of the State of Illinois, Governors State University (University) under programs of the federal government for the year ended June 30, 2023. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200 Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards (Uniform Guidance). Because this schedule presents only a selected portion of the operations of the University, it is not intended to and does not present the financial position, changes in net position, or cash flows of the University.
Title: NOTE 2 - SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. The University has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance.
Title: NOTE 3 - FEDERAL STUDENT LOAN PROGRAMS Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. The federal student loan programs listed subsequently are administered directly by the University and balances and transactions relating to these programs are included in the University’s basic financial statements. Expenditures reported on the Schedule include loans outstanding at the beginning of the year, loans made during the year, any administrative cost allowance claimed, cash balance of the fund as of the end of the year, and cancellations receivable at the end of the year. The balance of loans outstanding at June 30, 2023 consists of: See the Notes to SEFA for chart/table
Title: NOTE 4 - SUBRECIPIENTS Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. During the year ended June 30, 2023, the University passed through federal assistance to subrecipients in an amount of $18,475.
Title: NOTE 5 - NON-CASH ASSISTANCE Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. The University did not receive any federal non-cash assistance during the year ended June 30, 2023.
Title: NOTE 6 - INSURANCE Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The auditee has elected not to use the de minimis cost rate. The University did not have federally funded insurance in effect during the year ended June 30, 2023.

Finding Details

Finding 2023-002
2023-002. FINDING (Enrollment Reporting) Federal Department: U.S. Department of Education Assistance Listing Number: 84.268 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans Award Numbers: P268K230567, P268K220567 Questioned Cost: None Program Expenditures: $21,864,079 Cluster Expenditures: $33,549,307 Governors State University (University) did not timely report student enrollment information to the U.S. Department of Education’s National Student Loan Data System (NSLDS). During our audit, we tested 33 students who experienced a change in enrollment status during the fiscal year. Our testing identified two students (6%) whose enrollment status change was not reported timely to the NSLDS. The student enrollment status changes were reported 236 and 353 days late after the date of occurrence. The sample was not intended to be, and was not, a statistically valid sample. The Code of Federal Regulations (34 CFR 685.309) requires the University, upon the receipt of an enrollment report from the Secretary, to update all information included in the report and return the report to the Secretary within the timeframe prescribed by the Secretary. It further requires the University to report enrollment changes within 30 days unless a roster file is expected within 60 days, in which case the enrollment data may be updated on that roster file. The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards establish and maintain internal controls designed to reasonably ensure compliance with federal statutes, regulations, and terms and conditions of the federal award. Effective internal controls should include procedures to ensure timely student enrollment status reports are submitted to NSLDS. University officials stated the students noted were granted administrative withdrawal for a single course after the semester (the students registered for) ended, which resulted in a change of enrollment from Full-time to Three-Quarters of a Time. The University reports enrollment status changes to NSLDS through the National Student Clearinghouse (NSC), a third-party servicer. Changes to enrollment that occur after the term has been reported will not be updated in NSLDS by changes made by the University in NSC. Those enrollment changes need to be updated directly in the NSLDS enrollment history update function. Enrollment reporting in a timely manner is critical for effective management of the student financial aid programs. Noncompliance with enrollment reporting regulations may result in a loss of future federal funding. (Finding Code No. 2023-002, 2022-002, 2021-003) RECOMMENDATION We recommend the University improve its procedures to ensure timely reporting of student enrollment status to the NSLDS. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has already identified a method to report directly to NSLDS all enrollment changes occurring after the end of the term. The University will continue to update timely the NSLDS enrollment history as needed when the situation of late withdrawals occurs beyond the reporting dates.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-004
2023-004. FINDING (Inadequate Controls over Payroll Expenditures and Noncompliance with Allowable Cost & Cost Principles Requirements Applicable to the Head Start Cluster) Federal Department: U.S. Department of Health and Human Services Assistance Listing Number: 93.600 Cluster Name: Head Start Cluster Program Name: Early Head Start Award Numbers: 05CH011351-03-02, 05CH011351-04-03 Questioned Cost: Known ($37,377) Program Expenditures: $985,732 Cluster Expenditures: $1,026,985 The Governors State University (University) did not have adequate controls over payroll expenditures and did not comply with the allowable cost and cost principles requirements applicable to the Head Start Cluster. During our testing of Head Start Cluster payroll expenditures amounting to $555,569, we noted the following: • There was no periodic reconciliation performed between the amount actually worked on the grant (i.e. certified time and effort reports) against payroll expenditures to ensure the amount charged to the grant was accurate. Payroll expenditures for five (5) of twelve (12) employees tested were charged to the Early Head Start program using incorrect time and effort rates. The actual amounts charged to the grant were less than computed payroll expenditures using the certified time and effort rates. These differences were not adjusted at year-end to ensure the accuracy of the accounting records and schedule of expenditures of federal awards. The questioned costs were ($37,377). The sample was not intended to be, and was not, a statistically valid sample. • Our testing of payroll expenditures identified 12 instances out of 12 employees tested who worked on multiple federal awards and/or nonfederal awards lacked appropriate supporting documentation to account for 100% actual time and effort certification of the employees for each reporting period to provide a basis to reconcile with payroll distribution used in charging these awards. The University’s time and effort certification shows only the percentage of effort for each employee on a specific grant. As a result, we were unable to ascertain the accuracy of the payroll expenditure charged as a whole. The sample was not intended to be, and was not, a statistically valid sample. The Code of Federal Regulations (Code) (2 CFR 200.303) requires the University establish and maintain effective internal control over the federal award that provides reasonable assurance the University is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effective internal controls should include procedures to ensure that there is reconciliation between the compensation for personal services charged to the agreement and the amount actually worked on the agreement. The Code (2 CFR 200.430) states charges to federal awards for salaries and wages must be based on records that accurately reflect the work performed and must support the distribution of the employee's salary or wages among specific activities or cost objectives if the employee works on more than one federal award; a federal award and nonfederal award; an indirect cost activity and a direct cost activity; two or more indirect activities which are allocated using different allocation bases; or an unallowable activity and a direct or indirect cost activity. These records must be supported by a system of internal control which provides reasonable assurance that the charges are accurate, allowable, and properly allocated. The University’s effort reporting guidelines requires the University to have a periodic review of the salary distribution system to confirm the reasonableness of the charges to the federal projects. In addition, the University is required to review, update, and prepare salary reallocations, and if necessary, make appropriate changes to the effort reports and certify reports on a quarterly basis to ensure that the salaries charged to federally sponsored projects are reasonable and consistent with the portion of activity committed to projects. The effort report must represent, in percentages totaling 100%, a reasonable estimate of an employee’s University compensated effort for the period. University officials stated the reconciliation process for time and effort reports is in place; however, staffing constraints resulted in some delays in the reconciliation process. The Early Head Start program is a calendar year grant that runs from January through December. The necessary adjustments to correct the differences noted for 2023 were made by the University after fiscal year end, but within the grant’s budget period. University officials stated 100% of work is captured on Human Resource and workflow records but not on the certification forms. Failure to accurately charge sponsored agreements for the equitable distribution of employee compensation may result in federal expenditures being disallowed and could jeopardize future federal funding. (Finding Code No. 2023-004) RECOMMENDATION We recommend the University timely reconcile payroll and ensure employees certify 100% of time worked to allow for adequate application of allowable cost and cost principles requirements for the Head Start Cluster. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has updated its process to collect time and effort information on a semi-annual basis rather than quarterly, which relieves some burden from staff, but still complies with federal regulations. By collecting time and effort information on a semi-annual basis, staff will have more time to reconcile time and effort against actual payroll expenditures. The University has also redesigned the time and effort collection form to show the 100% distribution of work. Further, the University now has a full-time financial research administrator who will help ensure that payroll- related adjustments are done timely. The financial research administrator will work with the Early Head Start program management to ensure that the related payroll reports are reviewed and reconciled timely, in accordance with existing University procedures.
Finding 2023-005
2023-005. FINDING (Failure to File Real Property Status Report) Federal Department: U.S. Department of Health and Human Services Assistance Listing Number: 93.600 Cluster Name: Head Start Cluster Program Name: Early Head Start Award Numbers: 05CH011351-03-02, 05CH011351-04-03 Questioned Cost: None Program Expenditures: $985,732 Cluster Expenditures: $1,026,985 Governors State University (University) failed to submit the required annual real property status report (SF-429). During our audit, we identified the University did not submit the calendar year 2022 SF-429 report. The SF-429 report must be submitted by all grantees on the same date the grantee’s SF- 425 Final Federal Financial Report for the budget period is due. Grantees must act in compliance with the requirements of this grant and applicable federal statutes, regulations, and policies as included in the Compendium of Program Instructions and Information Memoranda. The Office of Head Start has issued Program Instruction Log Number ACF-PI-HS-17-03 which requires all grantees, including those with no covered real property, to prepare and submit SF-429 with Attachment A on an annual basis at the same time as their annual SF-425 Federal Financial Report. The Program Instruction Log Number ACF-PI-HS-17- 03 is required in accordance with the Code of Federal Regulations (Code) (45 CFR 75.343). The Code (45 CFR 75.343) requires nonfederal entities to submit reports periodically dependent on time frame on the status of real property in which the federal government retains an interest. Additionally, the Code (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure reports are submitted timely. University officials stated the SF-429 report was inadvertently not submitted as there was no real property acquired from the grant funds. Failure to meet grant reporting requirements is a noncompliance with the related grant request for proposal and application agreement and could result in loss of grant funding in future years. (Finding Code No. 2023-005) RECOMMENDATION We recommend the University improve its procedures to ensure timely submission of required reports. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. Existing procedures are already in place to ensure that required reports are submitted. As indicated in the finding above, this was just a misunderstanding on the part of the employee submitting the report as there was no real property acquired from the Early Head Start grant funds. The University believes that this matter did not have a direct and material effect on the University’s compliance with federal requirements.
Finding 2023-002
2023-002. FINDING (Enrollment Reporting) Federal Department: U.S. Department of Education Assistance Listing Number: 84.268 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Direct Student Loans Award Numbers: P268K230567, P268K220567 Questioned Cost: None Program Expenditures: $21,864,079 Cluster Expenditures: $33,549,307 Governors State University (University) did not timely report student enrollment information to the U.S. Department of Education’s National Student Loan Data System (NSLDS). During our audit, we tested 33 students who experienced a change in enrollment status during the fiscal year. Our testing identified two students (6%) whose enrollment status change was not reported timely to the NSLDS. The student enrollment status changes were reported 236 and 353 days late after the date of occurrence. The sample was not intended to be, and was not, a statistically valid sample. The Code of Federal Regulations (34 CFR 685.309) requires the University, upon the receipt of an enrollment report from the Secretary, to update all information included in the report and return the report to the Secretary within the timeframe prescribed by the Secretary. It further requires the University to report enrollment changes within 30 days unless a roster file is expected within 60 days, in which case the enrollment data may be updated on that roster file. The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards establish and maintain internal controls designed to reasonably ensure compliance with federal statutes, regulations, and terms and conditions of the federal award. Effective internal controls should include procedures to ensure timely student enrollment status reports are submitted to NSLDS. University officials stated the students noted were granted administrative withdrawal for a single course after the semester (the students registered for) ended, which resulted in a change of enrollment from Full-time to Three-Quarters of a Time. The University reports enrollment status changes to NSLDS through the National Student Clearinghouse (NSC), a third-party servicer. Changes to enrollment that occur after the term has been reported will not be updated in NSLDS by changes made by the University in NSC. Those enrollment changes need to be updated directly in the NSLDS enrollment history update function. Enrollment reporting in a timely manner is critical for effective management of the student financial aid programs. Noncompliance with enrollment reporting regulations may result in a loss of future federal funding. (Finding Code No. 2023-002, 2022-002, 2021-003) RECOMMENDATION We recommend the University improve its procedures to ensure timely reporting of student enrollment status to the NSLDS. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has already identified a method to report directly to NSLDS all enrollment changes occurring after the end of the term. The University will continue to update timely the NSLDS enrollment history as needed when the situation of late withdrawals occurs beyond the reporting dates.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-003
2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.
Finding 2023-004
2023-004. FINDING (Inadequate Controls over Payroll Expenditures and Noncompliance with Allowable Cost & Cost Principles Requirements Applicable to the Head Start Cluster) Federal Department: U.S. Department of Health and Human Services Assistance Listing Number: 93.600 Cluster Name: Head Start Cluster Program Name: Early Head Start Award Numbers: 05CH011351-03-02, 05CH011351-04-03 Questioned Cost: Known ($37,377) Program Expenditures: $985,732 Cluster Expenditures: $1,026,985 The Governors State University (University) did not have adequate controls over payroll expenditures and did not comply with the allowable cost and cost principles requirements applicable to the Head Start Cluster. During our testing of Head Start Cluster payroll expenditures amounting to $555,569, we noted the following: • There was no periodic reconciliation performed between the amount actually worked on the grant (i.e. certified time and effort reports) against payroll expenditures to ensure the amount charged to the grant was accurate. Payroll expenditures for five (5) of twelve (12) employees tested were charged to the Early Head Start program using incorrect time and effort rates. The actual amounts charged to the grant were less than computed payroll expenditures using the certified time and effort rates. These differences were not adjusted at year-end to ensure the accuracy of the accounting records and schedule of expenditures of federal awards. The questioned costs were ($37,377). The sample was not intended to be, and was not, a statistically valid sample. • Our testing of payroll expenditures identified 12 instances out of 12 employees tested who worked on multiple federal awards and/or nonfederal awards lacked appropriate supporting documentation to account for 100% actual time and effort certification of the employees for each reporting period to provide a basis to reconcile with payroll distribution used in charging these awards. The University’s time and effort certification shows only the percentage of effort for each employee on a specific grant. As a result, we were unable to ascertain the accuracy of the payroll expenditure charged as a whole. The sample was not intended to be, and was not, a statistically valid sample. The Code of Federal Regulations (Code) (2 CFR 200.303) requires the University establish and maintain effective internal control over the federal award that provides reasonable assurance the University is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effective internal controls should include procedures to ensure that there is reconciliation between the compensation for personal services charged to the agreement and the amount actually worked on the agreement. The Code (2 CFR 200.430) states charges to federal awards for salaries and wages must be based on records that accurately reflect the work performed and must support the distribution of the employee's salary or wages among specific activities or cost objectives if the employee works on more than one federal award; a federal award and nonfederal award; an indirect cost activity and a direct cost activity; two or more indirect activities which are allocated using different allocation bases; or an unallowable activity and a direct or indirect cost activity. These records must be supported by a system of internal control which provides reasonable assurance that the charges are accurate, allowable, and properly allocated. The University’s effort reporting guidelines requires the University to have a periodic review of the salary distribution system to confirm the reasonableness of the charges to the federal projects. In addition, the University is required to review, update, and prepare salary reallocations, and if necessary, make appropriate changes to the effort reports and certify reports on a quarterly basis to ensure that the salaries charged to federally sponsored projects are reasonable and consistent with the portion of activity committed to projects. The effort report must represent, in percentages totaling 100%, a reasonable estimate of an employee’s University compensated effort for the period. University officials stated the reconciliation process for time and effort reports is in place; however, staffing constraints resulted in some delays in the reconciliation process. The Early Head Start program is a calendar year grant that runs from January through December. The necessary adjustments to correct the differences noted for 2023 were made by the University after fiscal year end, but within the grant’s budget period. University officials stated 100% of work is captured on Human Resource and workflow records but not on the certification forms. Failure to accurately charge sponsored agreements for the equitable distribution of employee compensation may result in federal expenditures being disallowed and could jeopardize future federal funding. (Finding Code No. 2023-004) RECOMMENDATION We recommend the University timely reconcile payroll and ensure employees certify 100% of time worked to allow for adequate application of allowable cost and cost principles requirements for the Head Start Cluster. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University has updated its process to collect time and effort information on a semi-annual basis rather than quarterly, which relieves some burden from staff, but still complies with federal regulations. By collecting time and effort information on a semi-annual basis, staff will have more time to reconcile time and effort against actual payroll expenditures. The University has also redesigned the time and effort collection form to show the 100% distribution of work. Further, the University now has a full-time financial research administrator who will help ensure that payroll- related adjustments are done timely. The financial research administrator will work with the Early Head Start program management to ensure that the related payroll reports are reviewed and reconciled timely, in accordance with existing University procedures.
Finding 2023-005
2023-005. FINDING (Failure to File Real Property Status Report) Federal Department: U.S. Department of Health and Human Services Assistance Listing Number: 93.600 Cluster Name: Head Start Cluster Program Name: Early Head Start Award Numbers: 05CH011351-03-02, 05CH011351-04-03 Questioned Cost: None Program Expenditures: $985,732 Cluster Expenditures: $1,026,985 Governors State University (University) failed to submit the required annual real property status report (SF-429). During our audit, we identified the University did not submit the calendar year 2022 SF-429 report. The SF-429 report must be submitted by all grantees on the same date the grantee’s SF- 425 Final Federal Financial Report for the budget period is due. Grantees must act in compliance with the requirements of this grant and applicable federal statutes, regulations, and policies as included in the Compendium of Program Instructions and Information Memoranda. The Office of Head Start has issued Program Instruction Log Number ACF-PI-HS-17-03 which requires all grantees, including those with no covered real property, to prepare and submit SF-429 with Attachment A on an annual basis at the same time as their annual SF-425 Federal Financial Report. The Program Instruction Log Number ACF-PI-HS-17- 03 is required in accordance with the Code of Federal Regulations (Code) (45 CFR 75.343). The Code (45 CFR 75.343) requires nonfederal entities to submit reports periodically dependent on time frame on the status of real property in which the federal government retains an interest. Additionally, the Code (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure reports are submitted timely. University officials stated the SF-429 report was inadvertently not submitted as there was no real property acquired from the grant funds. Failure to meet grant reporting requirements is a noncompliance with the related grant request for proposal and application agreement and could result in loss of grant funding in future years. (Finding Code No. 2023-005) RECOMMENDATION We recommend the University improve its procedures to ensure timely submission of required reports. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. Existing procedures are already in place to ensure that required reports are submitted. As indicated in the finding above, this was just a misunderstanding on the part of the employee submitting the report as there was no real property acquired from the Early Head Start grant funds. The University believes that this matter did not have a direct and material effect on the University’s compliance with federal requirements.