FAC Explorer

Audit 300992

FY End
2023-06-30
Total Expended
$11.71M
Findings
10
Programs
17
Organization: Saint Michael's College (VT)
Year: 2023 Accepted: 2024-03-29
Auditor: Kpmg LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
390100 2023-001 Significant Deficiency - P
390101 2023-001 Significant Deficiency - P
390102 2023-001 Significant Deficiency - P
390103 2023-001 Significant Deficiency - P
390104 2023-001 Significant Deficiency - P
966542 2023-001 Significant Deficiency - P
966543 2023-001 Significant Deficiency - P
966544 2023-001 Significant Deficiency - P
966545 2023-001 Significant Deficiency - P
966546 2023-001 Significant Deficiency - P

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $7.04M Yes 1
84.038 Federal Perkins Loan Program $1.87M Yes 1
84.063 Federal Pell Grant Program $1.12M Yes 1
93.859 Biomedical Research and Research Training $309,693 Yes 0
84.007 Federal Supplemental Educational Opportunity Grants $303,448 Yes 1
84.033 Federal Work-Study Program $233,525 Yes 1
47.076 Education and Human Resources $172,003 Yes 0
84.425 Covid-19 - Higher Education Emergency Relief Fund - Student $142,531 - 0
84.425 Covid-19 - Higher Education Emergency Relief Fund - Institutional $142,530 - 0
93.243 Substance Abuse and Mental Health Services_projects of Regional and National Significance $105,945 Yes 0
84.116 Fund for the Improvement of Postsecondary Education $73,889 - 0
47.074 Biological Sciences $65,520 Yes 0
47.049 Mathematical and Physical Sciences $57,509 Yes 0
15.805 Assistance to State Water Resources Research Institutes $13,507 Yes 0
43.008 Office of Stem Engagement (ostem) $8,218 Yes 0
15.631 Partners for Fish and Wildlife $6,225 - 0
93.279 Drug Abuse and Addiction Research Programs $2,178 Yes 0

Contacts

Name Title Type
UX4CNQ22L1A4 Catherine Palopoli Auditee
6176867943 Renee Bourget-Place Auditor
No contacts on file

Notes to SEFA

Title: Summary of Significant Accounting Policies Accounting Policies: The accompanying supplementary schedule of expenditures of federal awards (the Schedule) includes the federal grant activity of Saint Michael’s College (the College) and is presented on the accrual basis of accounting. The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Costs Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, some amounts presented in this schedule may differ from amounts presented in, or used in the preparation of, the consolidated financial statements. De Minimis Rate Used: N Rate Explanation: The College uses an indirect cost rate of 65%, where applicable/allowable, in accordance with our rate agreement dated 12/27/2021 and effective from 7/1/2021 through 6/30/2026. The accompanying supplementary schedule of expenditures of federal awards (the Schedule) includes the federal grant activity of Saint Michael’s College (the College) and is presented on the accrual basis of accounting. The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Costs Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, some amounts presented in this schedule may differ from amounts presented in, or used in the preparation of, the consolidated financial statements.
Title: Loan Advances and Balances Accounting Policies: The accompanying supplementary schedule of expenditures of federal awards (the Schedule) includes the federal grant activity of Saint Michael’s College (the College) and is presented on the accrual basis of accounting. The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Costs Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, some amounts presented in this schedule may differ from amounts presented in, or used in the preparation of, the consolidated financial statements. De Minimis Rate Used: N Rate Explanation: The College uses an indirect cost rate of 65%, where applicable/allowable, in accordance with our rate agreement dated 12/27/2021 and effective from 7/1/2021 through 6/30/2026. Loans advanced during the year to students under the Federal Direct Loan (FDL) Programs are as follows for the year ended June 30, 2023: See the Notes to the SEFA for chart/table With respect to the FDL Programs, the College is responsible only for the performance of certain administrative duties and, accordingly, these loan balances are not included in the College’s financial statements. It is not practical to determine the balances of loans outstanding from students of the College under these programs at June 30, 2023. Congress did not renew the Federal Perkins Loan Program after September 2017 and the transition period permitting disbursements ended June 30, 2018. Therefore, no new loans have been awarded after September 2017 and the College continues to service outstanding loans throughout the repayment period. For the year ended June 30, 2023, the College did not recover an administrative allowance under the Federal Perkins Loan Program. The loan receivable balance from students under the Federal Perkins Loan Program was $1,155,218 and $1,870,613 at June 30, 2023 and 2022.
Title: Indirect Cost Rate Accounting Policies: The accompanying supplementary schedule of expenditures of federal awards (the Schedule) includes the federal grant activity of Saint Michael’s College (the College) and is presented on the accrual basis of accounting. The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Costs Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, some amounts presented in this schedule may differ from amounts presented in, or used in the preparation of, the consolidated financial statements. De Minimis Rate Used: N Rate Explanation: The College uses an indirect cost rate of 65%, where applicable/allowable, in accordance with our rate agreement dated 12/27/2021 and effective from 7/1/2021 through 6/30/2026. The College has not elected to utilize the 10% deminimus indirect cost rate in Part 200.514 of the Uniform Guidance.

Finding Details

Finding 2023-001
Compliance Requirements: Gramm-Leach Bliley Act – Student Information Security Condition or Requirement: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address the following seven elements: 1.) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. 2.) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3.) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the following eight minimum safeguards within the written information security program: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it’s in transit. iv. Assess apps developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4.) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5.) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6.) Addresses how the institution will oversee its information system service providers. 7.) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Condition and Context: The OMB Compliance Supplement requires auditors to verify that the institution has designated a qualified individual to oversee the information security program to and verify the institution has a written information security program that addresses the seven required elements. During our testwork over element 3, we noted that the College’s written information security program did not include information related to conducting periodic inventory of data, noting where it’s collected, stored, or transmitted. Cause and Effect: The cause of the condition found was due to lack of policies and procedures in place to ensure the written information security program addressed the required seven elements, which includes eight minimum safeguards. The effect of the condition found is that the College may not have appropriately designed and implemented safeguards to control the risks identified by the College through its risk assessment. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College conducts periodic inventory of data and ensure it’s written information security program includes the requirement to conduct periodic inventory of data, noting where it’s collected, stored, or transmitted.
Finding 2023-001
Compliance Requirements: Gramm-Leach Bliley Act – Student Information Security Condition or Requirement: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address the following seven elements: 1.) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. 2.) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3.) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the following eight minimum safeguards within the written information security program: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it’s in transit. iv. Assess apps developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4.) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5.) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6.) Addresses how the institution will oversee its information system service providers. 7.) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Condition and Context: The OMB Compliance Supplement requires auditors to verify that the institution has designated a qualified individual to oversee the information security program to and verify the institution has a written information security program that addresses the seven required elements. During our testwork over element 3, we noted that the College’s written information security program did not include information related to conducting periodic inventory of data, noting where it’s collected, stored, or transmitted. Cause and Effect: The cause of the condition found was due to lack of policies and procedures in place to ensure the written information security program addressed the required seven elements, which includes eight minimum safeguards. The effect of the condition found is that the College may not have appropriately designed and implemented safeguards to control the risks identified by the College through its risk assessment. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College conducts periodic inventory of data and ensure it’s written information security program includes the requirement to conduct periodic inventory of data, noting where it’s collected, stored, or transmitted.
Finding 2023-001
Compliance Requirements: Gramm-Leach Bliley Act – Student Information Security Condition or Requirement: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address the following seven elements: 1.) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. 2.) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3.) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the following eight minimum safeguards within the written information security program: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it’s in transit. iv. Assess apps developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4.) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5.) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6.) Addresses how the institution will oversee its information system service providers. 7.) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Condition and Context: The OMB Compliance Supplement requires auditors to verify that the institution has designated a qualified individual to oversee the information security program to and verify the institution has a written information security program that addresses the seven required elements. During our testwork over element 3, we noted that the College’s written information security program did not include information related to conducting periodic inventory of data, noting where it’s collected, stored, or transmitted. Cause and Effect: The cause of the condition found was due to lack of policies and procedures in place to ensure the written information security program addressed the required seven elements, which includes eight minimum safeguards. The effect of the condition found is that the College may not have appropriately designed and implemented safeguards to control the risks identified by the College through its risk assessment. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College conducts periodic inventory of data and ensure it’s written information security program includes the requirement to conduct periodic inventory of data, noting where it’s collected, stored, or transmitted.
Finding 2023-001
Compliance Requirements: Gramm-Leach Bliley Act – Student Information Security Condition or Requirement: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address the following seven elements: 1.) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. 2.) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3.) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the following eight minimum safeguards within the written information security program: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it’s in transit. iv. Assess apps developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4.) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5.) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6.) Addresses how the institution will oversee its information system service providers. 7.) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Condition and Context: The OMB Compliance Supplement requires auditors to verify that the institution has designated a qualified individual to oversee the information security program to and verify the institution has a written information security program that addresses the seven required elements. During our testwork over element 3, we noted that the College’s written information security program did not include information related to conducting periodic inventory of data, noting where it’s collected, stored, or transmitted. Cause and Effect: The cause of the condition found was due to lack of policies and procedures in place to ensure the written information security program addressed the required seven elements, which includes eight minimum safeguards. The effect of the condition found is that the College may not have appropriately designed and implemented safeguards to control the risks identified by the College through its risk assessment. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College conducts periodic inventory of data and ensure it’s written information security program includes the requirement to conduct periodic inventory of data, noting where it’s collected, stored, or transmitted.
Finding 2023-001
Compliance Requirements: Gramm-Leach Bliley Act – Student Information Security Condition or Requirement: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address the following seven elements: 1.) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. 2.) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3.) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the following eight minimum safeguards within the written information security program: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it’s in transit. iv. Assess apps developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4.) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5.) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6.) Addresses how the institution will oversee its information system service providers. 7.) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Condition and Context: The OMB Compliance Supplement requires auditors to verify that the institution has designated a qualified individual to oversee the information security program to and verify the institution has a written information security program that addresses the seven required elements. During our testwork over element 3, we noted that the College’s written information security program did not include information related to conducting periodic inventory of data, noting where it’s collected, stored, or transmitted. Cause and Effect: The cause of the condition found was due to lack of policies and procedures in place to ensure the written information security program addressed the required seven elements, which includes eight minimum safeguards. The effect of the condition found is that the College may not have appropriately designed and implemented safeguards to control the risks identified by the College through its risk assessment. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College conducts periodic inventory of data and ensure it’s written information security program includes the requirement to conduct periodic inventory of data, noting where it’s collected, stored, or transmitted.
Finding 2023-001
Compliance Requirements: Gramm-Leach Bliley Act – Student Information Security Condition or Requirement: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address the following seven elements: 1.) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. 2.) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3.) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the following eight minimum safeguards within the written information security program: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it’s in transit. iv. Assess apps developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4.) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5.) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6.) Addresses how the institution will oversee its information system service providers. 7.) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Condition and Context: The OMB Compliance Supplement requires auditors to verify that the institution has designated a qualified individual to oversee the information security program to and verify the institution has a written information security program that addresses the seven required elements. During our testwork over element 3, we noted that the College’s written information security program did not include information related to conducting periodic inventory of data, noting where it’s collected, stored, or transmitted. Cause and Effect: The cause of the condition found was due to lack of policies and procedures in place to ensure the written information security program addressed the required seven elements, which includes eight minimum safeguards. The effect of the condition found is that the College may not have appropriately designed and implemented safeguards to control the risks identified by the College through its risk assessment. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College conducts periodic inventory of data and ensure it’s written information security program includes the requirement to conduct periodic inventory of data, noting where it’s collected, stored, or transmitted.
Finding 2023-001
Compliance Requirements: Gramm-Leach Bliley Act – Student Information Security Condition or Requirement: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address the following seven elements: 1.) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. 2.) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3.) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the following eight minimum safeguards within the written information security program: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it’s in transit. iv. Assess apps developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4.) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5.) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6.) Addresses how the institution will oversee its information system service providers. 7.) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Condition and Context: The OMB Compliance Supplement requires auditors to verify that the institution has designated a qualified individual to oversee the information security program to and verify the institution has a written information security program that addresses the seven required elements. During our testwork over element 3, we noted that the College’s written information security program did not include information related to conducting periodic inventory of data, noting where it’s collected, stored, or transmitted. Cause and Effect: The cause of the condition found was due to lack of policies and procedures in place to ensure the written information security program addressed the required seven elements, which includes eight minimum safeguards. The effect of the condition found is that the College may not have appropriately designed and implemented safeguards to control the risks identified by the College through its risk assessment. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College conducts periodic inventory of data and ensure it’s written information security program includes the requirement to conduct periodic inventory of data, noting where it’s collected, stored, or transmitted.
Finding 2023-001
Compliance Requirements: Gramm-Leach Bliley Act – Student Information Security Condition or Requirement: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address the following seven elements: 1.) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. 2.) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3.) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the following eight minimum safeguards within the written information security program: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it’s in transit. iv. Assess apps developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4.) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5.) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6.) Addresses how the institution will oversee its information system service providers. 7.) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Condition and Context: The OMB Compliance Supplement requires auditors to verify that the institution has designated a qualified individual to oversee the information security program to and verify the institution has a written information security program that addresses the seven required elements. During our testwork over element 3, we noted that the College’s written information security program did not include information related to conducting periodic inventory of data, noting where it’s collected, stored, or transmitted. Cause and Effect: The cause of the condition found was due to lack of policies and procedures in place to ensure the written information security program addressed the required seven elements, which includes eight minimum safeguards. The effect of the condition found is that the College may not have appropriately designed and implemented safeguards to control the risks identified by the College through its risk assessment. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College conducts periodic inventory of data and ensure it’s written information security program includes the requirement to conduct periodic inventory of data, noting where it’s collected, stored, or transmitted.
Finding 2023-001
Compliance Requirements: Gramm-Leach Bliley Act – Student Information Security Condition or Requirement: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address the following seven elements: 1.) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. 2.) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3.) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the following eight minimum safeguards within the written information security program: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it’s in transit. iv. Assess apps developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4.) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5.) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6.) Addresses how the institution will oversee its information system service providers. 7.) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Condition and Context: The OMB Compliance Supplement requires auditors to verify that the institution has designated a qualified individual to oversee the information security program to and verify the institution has a written information security program that addresses the seven required elements. During our testwork over element 3, we noted that the College’s written information security program did not include information related to conducting periodic inventory of data, noting where it’s collected, stored, or transmitted. Cause and Effect: The cause of the condition found was due to lack of policies and procedures in place to ensure the written information security program addressed the required seven elements, which includes eight minimum safeguards. The effect of the condition found is that the College may not have appropriately designed and implemented safeguards to control the risks identified by the College through its risk assessment. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College conducts periodic inventory of data and ensure it’s written information security program includes the requirement to conduct periodic inventory of data, noting where it’s collected, stored, or transmitted.
Finding 2023-001
Compliance Requirements: Gramm-Leach Bliley Act – Student Information Security Condition or Requirement: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address the following seven elements: 1.) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. 2.) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3.) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the following eight minimum safeguards within the written information security program: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it’s in transit. iv. Assess apps developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4.) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5.) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6.) Addresses how the institution will oversee its information system service providers. 7.) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Condition and Context: The OMB Compliance Supplement requires auditors to verify that the institution has designated a qualified individual to oversee the information security program to and verify the institution has a written information security program that addresses the seven required elements. During our testwork over element 3, we noted that the College’s written information security program did not include information related to conducting periodic inventory of data, noting where it’s collected, stored, or transmitted. Cause and Effect: The cause of the condition found was due to lack of policies and procedures in place to ensure the written information security program addressed the required seven elements, which includes eight minimum safeguards. The effect of the condition found is that the College may not have appropriately designed and implemented safeguards to control the risks identified by the College through its risk assessment. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College conducts periodic inventory of data and ensure it’s written information security program includes the requirement to conduct periodic inventory of data, noting where it’s collected, stored, or transmitted.