FAC Explorer

Audit 303477

FY End
2023-08-31
Total Expended
$20.85M
Findings
8
Programs
23
Organization: Broome Community College (NY)
Year: 2023 Accepted: 2024-04-15
Auditor: Bonadio & CO LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
393158 2023-001 Significant Deficiency - N
393159 2023-001 Significant Deficiency - N
393160 2023-001 Significant Deficiency - N
393161 2023-001 Significant Deficiency - N
969600 2023-001 Significant Deficiency - N
969601 2023-001 Significant Deficiency - N
969602 2023-001 Significant Deficiency - N
969603 2023-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $10.84M Yes 1
84.063 Federal Pell Grant Program $7.99M Yes 1
84.425T Covid-19 Education Stabilization Fund $628,131 Yes 0
84.048 Career and Technical Education -- Basic Grants to States $266,248 - 0
84.007 Federal Supplemental Educational Opportunity Grants $197,732 Yes 1
84.425F Covid-19 Education Stabilization Fund $162,109 Yes 0
97.036 Disaster Grants - Public Assistance (presidentially Declared Disasters) $110,637 - 0
84.425E Covid-19 Education Stabilization Fund $104,112 Yes 0
84.033 Federal Work-Study Program $97,692 Yes 1
17.270 Reintegration of Ex-Offenders $56,046 - 0
47.076 Education and Human Resources $55,864 - 0
93.575 Child Care and Development Block Grant $52,500 - 0
11.307 Economic Adjustment Assistance $31,719 - 0
17.261 Wia Pilots, Demonstrations, and Research Projects $16,058 - 0
10.559 Summer Food Service Program for Children $6,637 - 0
93.558 Temporary Assistance for Needy Families $6,416 - 0
93.667 Social Services Block Grant $4,538 - 0
93.778 Medical Assistance Program $3,437 - 0
93.658 Foster Care_title IV-E $2,175 - 0
10.310 Agriculture and Food Research Initiative (afri) $886 - 0
10.561 State Administrative Matching Grants for the Supplemental Nutrition Assistance Program $610 - 0
93.563 Child Support Enforcement $221 - 0
17.268 H-1b Job Training Grants $110 - 0

Contacts

Name Title Type
MA2YMDBA4LN5 Jeanette Tillotson Auditee
6077785291 Joseph Heroux Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the College’s general ledger. De Minimis Rate Used: N Rate Explanation: N/A The accompanying schedule of expenditures of federal awards (Schedule) includes the federal award activity of Broome Community College (College) under programs of the federal government for the year ended August 31, 2023. The information is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. Because the Schedule presents only a selected portion of the operations of the College, it is not intended to and does not present the financial position or the respective changes in the financial position of the business-type activities and the discretely presented component units of the College.
Title: PASS-THROUGH PROGRAMS Accounting Policies: Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the College’s general ledger. De Minimis Rate Used: N Rate Explanation: N/A When the College receives funds from a government entity other than the federal government (pass-through), the funds are accumulated based upon the Assistance Listing number advised by the pass-through grantor. Identifying numbers, other than Assistance Listing numbers, which may be assigned bypassthrough grantors are not maintained in the College’s financial management system. The College has identified certain pass-through identifying numbers and included them in the Schedule, as available.
Title: INDIRECT COSTS Accounting Policies: Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the College’s general ledger. De Minimis Rate Used: N Rate Explanation: N/A The College has elected not to use the 10% de minimis indirect cost rate as allowed under the Uniform Guidance.
Title: MATCHING COSTS Accounting Policies: Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the College’s general ledger. De Minimis Rate Used: N Rate Explanation: N/A Matching costs, i.e., the College’s share of certain program costs, are not included in the Schedule.
Title: STUDENT LOANS Accounting Policies: Expenditures reported on the Schedule are presented in conformity with accounting principles generally accepted in the United States and the amounts presented are derived from the College’s general ledger. De Minimis Rate Used: N Rate Explanation: N/A The College participates in the Federal Direct Student Loan Program (Assistance Listing #84.268) which offers low-interest loans to students and parents. During the fiscal year ended August 31, 2023, the College processed $10,837,927 of new loans under the Federal Direct Student Loan Program. With respect to the Federal Direct Student Loan Program, the College is only responsible for the performance of certain administrative duties; therefore, the College’s financial statements do not include any amounts relative to these loans. The cumulative amount of total loans guaranteed and outstanding at August 31, 2023 is undeterminable.

Finding Details

Finding 2023-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The annual risk assessment was performed during the audit year; however, results were not communicated to management and there is no mention of any risks to technology, information security, data protections, assets, cybersecurity, or regulatory compliance.  Annual security awareness training for employees is in place; however, completion of the training is not enforced.  A vendor management program is not in place.  Mobile device management is not in place.  While protections are in place for data backups, a Disaster Recovery Plan and Business Continuity Plan are not in place.  GBLA rules also require that a basic set of policies and procedures, as well as a program for annual risk assessment and reporting, is in place. The polices supplied by the College were missing the expected areas. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in process and the College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled accordingly and reported to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2023-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The annual risk assessment was performed during the audit year; however, results were not communicated to management and there is no mention of any risks to technology, information security, data protections, assets, cybersecurity, or regulatory compliance.  Annual security awareness training for employees is in place; however, completion of the training is not enforced.  A vendor management program is not in place.  Mobile device management is not in place.  While protections are in place for data backups, a Disaster Recovery Plan and Business Continuity Plan are not in place.  GBLA rules also require that a basic set of policies and procedures, as well as a program for annual risk assessment and reporting, is in place. The polices supplied by the College were missing the expected areas. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in process and the College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled accordingly and reported to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2023-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The annual risk assessment was performed during the audit year; however, results were not communicated to management and there is no mention of any risks to technology, information security, data protections, assets, cybersecurity, or regulatory compliance.  Annual security awareness training for employees is in place; however, completion of the training is not enforced.  A vendor management program is not in place.  Mobile device management is not in place.  While protections are in place for data backups, a Disaster Recovery Plan and Business Continuity Plan are not in place.  GBLA rules also require that a basic set of policies and procedures, as well as a program for annual risk assessment and reporting, is in place. The polices supplied by the College were missing the expected areas. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in process and the College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled accordingly and reported to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2023-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The annual risk assessment was performed during the audit year; however, results were not communicated to management and there is no mention of any risks to technology, information security, data protections, assets, cybersecurity, or regulatory compliance.  Annual security awareness training for employees is in place; however, completion of the training is not enforced.  A vendor management program is not in place.  Mobile device management is not in place.  While protections are in place for data backups, a Disaster Recovery Plan and Business Continuity Plan are not in place.  GBLA rules also require that a basic set of policies and procedures, as well as a program for annual risk assessment and reporting, is in place. The polices supplied by the College were missing the expected areas. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in process and the College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled accordingly and reported to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2023-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The annual risk assessment was performed during the audit year; however, results were not communicated to management and there is no mention of any risks to technology, information security, data protections, assets, cybersecurity, or regulatory compliance.  Annual security awareness training for employees is in place; however, completion of the training is not enforced.  A vendor management program is not in place.  Mobile device management is not in place.  While protections are in place for data backups, a Disaster Recovery Plan and Business Continuity Plan are not in place.  GBLA rules also require that a basic set of policies and procedures, as well as a program for annual risk assessment and reporting, is in place. The polices supplied by the College were missing the expected areas. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in process and the College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled accordingly and reported to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2023-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The annual risk assessment was performed during the audit year; however, results were not communicated to management and there is no mention of any risks to technology, information security, data protections, assets, cybersecurity, or regulatory compliance.  Annual security awareness training for employees is in place; however, completion of the training is not enforced.  A vendor management program is not in place.  Mobile device management is not in place.  While protections are in place for data backups, a Disaster Recovery Plan and Business Continuity Plan are not in place.  GBLA rules also require that a basic set of policies and procedures, as well as a program for annual risk assessment and reporting, is in place. The polices supplied by the College were missing the expected areas. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in process and the College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled accordingly and reported to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2023-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The annual risk assessment was performed during the audit year; however, results were not communicated to management and there is no mention of any risks to technology, information security, data protections, assets, cybersecurity, or regulatory compliance.  Annual security awareness training for employees is in place; however, completion of the training is not enforced.  A vendor management program is not in place.  Mobile device management is not in place.  While protections are in place for data backups, a Disaster Recovery Plan and Business Continuity Plan are not in place.  GBLA rules also require that a basic set of policies and procedures, as well as a program for annual risk assessment and reporting, is in place. The polices supplied by the College were missing the expected areas. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in process and the College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled accordingly and reported to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2023-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The annual risk assessment was performed during the audit year; however, results were not communicated to management and there is no mention of any risks to technology, information security, data protections, assets, cybersecurity, or regulatory compliance.  Annual security awareness training for employees is in place; however, completion of the training is not enforced.  A vendor management program is not in place.  Mobile device management is not in place.  While protections are in place for data backups, a Disaster Recovery Plan and Business Continuity Plan are not in place.  GBLA rules also require that a basic set of policies and procedures, as well as a program for annual risk assessment and reporting, is in place. The polices supplied by the College were missing the expected areas. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in process and the College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled accordingly and reported to the Audit and Finance Committee of the College's Board of Trustees.