FAC Explorer

Audit 302771

FY End
2023-09-30
Total Expended
$21.44M
Findings
4
Programs
2
Organization: Sonoran University of Health Sciences (AZ)
Year: 2023 Accepted: 2024-04-05
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
392472 2023-001 Significant Deficiency - N
392473 2023-001 Significant Deficiency - N
968914 2023-001 Significant Deficiency - N
968915 2023-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $21.32M Yes 1
84.033 Federal Work-Study Program $125,000 Yes 1

Contacts

Name Title Type
SJK3WDBXWLJ6 Edward Podol Auditee
4805284182 Don Loberg Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years De Minimis Rate Used: N Rate Explanation: Sonoran University of Health Sciences and Affiliate has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Sonoran University of Health Sciences and Affiliate under programs of the federal government for the year ended September 30, 2023. The information in this Schedule is presented in accordance with the requirements of 2 CFR Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of Sonoran University of Health Sciences and Affiliate, it is not intended to and does not present the consolidated financial position, changes in net assets, or consolidated cash flows of Sonoran University of Health Sciences and Affiliate. The University did not provide any federal funds to subrecipients nor did they receive any federal noncash assistance, insurance, loans, or loan guarantees.

Finding Details

Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: October 1, 2022 through September 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were three missing items from the Written Information Security Program. We did not identify procedures in place to securely dispose sensitive information. Standards should include a two-year retention period and a requirement that the institution periodically reviews its data retention period. We also did not identify in the WISP the institution's continuous monitoring capabilities and control testing. If continuous monitoring is not in place at the institution, then the institution should include within the written information security program, its processes to perform an annual penetration test and semi-annual vulnerability assessments. Lastly, we did not identify that the WISP includes the institution's continuous monitoring capabilities and control testing. If continuous monitoring is not in place at the institution, then the institution should include within the written information security program, its processes to perform an annual penetration test and semi-annual vulnerability assessments. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were three elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: October 1, 2022 through September 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were three missing items from the Written Information Security Program. We did not identify procedures in place to securely dispose sensitive information. Standards should include a two-year retention period and a requirement that the institution periodically reviews its data retention period. We also did not identify in the WISP the institution's continuous monitoring capabilities and control testing. If continuous monitoring is not in place at the institution, then the institution should include within the written information security program, its processes to perform an annual penetration test and semi-annual vulnerability assessments. Lastly, we did not identify that the WISP includes the institution's continuous monitoring capabilities and control testing. If continuous monitoring is not in place at the institution, then the institution should include within the written information security program, its processes to perform an annual penetration test and semi-annual vulnerability assessments. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were three elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: October 1, 2022 through September 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were three missing items from the Written Information Security Program. We did not identify procedures in place to securely dispose sensitive information. Standards should include a two-year retention period and a requirement that the institution periodically reviews its data retention period. We also did not identify in the WISP the institution's continuous monitoring capabilities and control testing. If continuous monitoring is not in place at the institution, then the institution should include within the written information security program, its processes to perform an annual penetration test and semi-annual vulnerability assessments. Lastly, we did not identify that the WISP includes the institution's continuous monitoring capabilities and control testing. If continuous monitoring is not in place at the institution, then the institution should include within the written information security program, its processes to perform an annual penetration test and semi-annual vulnerability assessments. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were three elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: October 1, 2022 through September 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were three missing items from the Written Information Security Program. We did not identify procedures in place to securely dispose sensitive information. Standards should include a two-year retention period and a requirement that the institution periodically reviews its data retention period. We also did not identify in the WISP the institution's continuous monitoring capabilities and control testing. If continuous monitoring is not in place at the institution, then the institution should include within the written information security program, its processes to perform an annual penetration test and semi-annual vulnerability assessments. Lastly, we did not identify that the WISP includes the institution's continuous monitoring capabilities and control testing. If continuous monitoring is not in place at the institution, then the institution should include within the written information security program, its processes to perform an annual penetration test and semi-annual vulnerability assessments. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were three elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.