Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Internal Control over Compliance (Repeat Finding 2022-003, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002,
2015-002, 2014-008)
Federal Programs
Departments of Education and Department of Health and Human Services Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Department of Education
Education Stabilization Fund (COVID-19) (Assistance Listing number 84.425E) Award year ended June 30, 2023
Criteria:
2 CFR 200.303(a) requires that non-Federal entities receiving Federal awards establish and maintain effective internal control over the Federal award to provide reasonable assurance that they are managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition:
At the University of Nevada, Reno (“UNR”), University of Nevada, Las Vegas (“UNLV”), and System Computing Services (“SCS”), we noted deficiencies in security administration related to the information technology general controls
(“ITGCs”) in the PeopleSoft application. Specifically, controls were lacking around restriction of elevated access, user access reviews, termination of access and segregation of duties as it relates to the PeopleSoft application over the student financial assistance program.
Context:
During our testing of the ITGCs in the PeopleSoft application, we noted the following segregation of duties issues: (1) At UNLV, UNR and SCS, several users have both PeopleSoft Administrator rights within the Production and Development Environment. (2) At UNLV, four users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (3) At UNR, three users have both Production and Development environment access which allows them to modify PS objects and perform change management duties. (4) At SCS, UNR and UNLV, no appropriate level of review of the activities performed by users with access to modify production during the audit period. (5) At SCS, four users have both Production and Development environment
access which allows them to modify PS objects and perform change management duties. (6) At SCS, UNR and UNLV, activity performed by users with segregation of duties conflicts (see 1-3, 5 above), are not formally reviewed on a periodic basis for appropriateness.
The deficiencies in security administration controls could impact compliance requirements related to determining eligibility, disbursements, return of Title IV funds and verification.
Questioned Costs:
$0
Effect:
1. Security Administration (#4) and Change Management (#1-3, #5 & #6)-Student data within the PeopleSoft application may be affected by users having conflicting roles or access levels, and accountability may not be established. Student data may be affected by unauthorized, inappropriate, or untested changes to the system. This could impact eligibility, disbursements, return of Title IV funds and verification.
Cause:
The issues identified are part of the lack of effective ITGCs in the PeopleSoft application for the majority of the fiscal year.
Recommendation:
1. Security Administration (#4) - Management should perform a formally documented periodic review of user activities.
2. Change Management(#1-3, #5-6) - Management should segregate duties and remove users with access to both the Development and Production environments (limiting them to be able to access just one environment) or implement a formal review process over the activities performed by those responsible for program maintenance on a periodic basis.
As of 4/28/2023, management has reported to us findings #1-3, #5 were remediated as the segregation of duties (“SOD”) access was revoked. However, due to the timing of remediation, management should perform a formally documented review of users activities for the period of 7/1/2022-4/7/2023.
Views of Responsible Officials (unaudited):
Management concurs. In addition, as of 4/28/2023, management has taken action to remove access which was causing
SOD conflicts to address findings #1-3, #5.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.
Special Tests and Provisions: Return of Title IV funds for withdrawn students
(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)
Federal Programs:
Department of Education
Student Financial Assistance Cluster (Various Assistance Listing numbers) Award year ended June 30, 2023
Criteria:
Pursuant to the 34 CFR 668.22(j)(2), an institution is required to determine the withdrawal date for a student who withdraws without providing notification to the institution no later than 30 days after the end of the earlier of the
(1) payment period or period of enrollment, (2) academic year in which the student withdrew, or (3) educational program from which the student withdrew to allow for the timely calculation and return of Title IV funds as required. Pursuant to the 34 CFR 668.22(e), an institution is required to calculate the amount of Title IV assistance earned by the student once the institution has determined the withdrawal date in accordance with the 34 CFR 668.22(j), and pursuant to the 34 CFR 668.22(g), an institution is required to calculate and return unearned aid in the order as required: the lesser of the total amount of unearned Title IV assistance to be returned as calculated under 34 CFR 668.22(e)(4); or an amount equal to the total institutional charges incurred by the student for the payment period or period of enrollment multiplied by the percentage of Title IV grant or loan assistance that has not been earned by the student, as described in 34 CFR 668.22(e)(3). Pursuant to the 34 CFR 690.83(b)(2) an institution shall submit, in accordance with deadline dates established by the U.S. Department of Education (Secretary), through publication in the Federal Register, other reports and information the Secretary requires and shall comply with the procedures the Secretary finds necessary to ensure that the reports are correct.
Pursuant to 34 CFR 668.22(j)(1), an institution must return the amount of Title IV funds for which it is responsible as soon as, but no later than 45 days, after the date of the institution's determination that the student withdrew.
34 CFR 668.22(d) requires that an institution does not have to treat a leave of absence as a withdrawal if it is an approved leave of absence. A leave of absence is an approved leave of absence if - (i) The institution has a formal policy regarding leaves of absence; (ii) The student followed the institution's policy in requesting the leave of absence; (iii) The institution determines that there is a reasonable expectation that the student will return to the school; (iv) The institution approved the student's request in accordance with the institution's policy; (v) The leave of absence does not involve additional charges by the institution; (vi) The number of days in the approved leave of absence, when added to the number of days in all other approved leaves of absence, does not exceed 180 days in any 12-month period;
(vii) Except for a clock hour or nonterm credit hour program, upon the student's return from the leave of absence, the student is permitted to complete the coursework he or she began prior to the leave of absence; and (viii) If the student is a title IV, HEA program loan recipient, the institution explains to the student, prior to granting the leave of absence, the effects that the student's failure to return from a leave of absence may have on the student's loan repayment terms,
including the exhaustion of some or all of the student's grace period.
Condition:
During our testing at CSN, we identified the following instance: the Institution did not complete the return of Title IV funds as calculated within the 45-day requirement as noted in the Federal Regulations.
Context:
For two out of sixty students tested at CSN, the funds to be returned were not returned within the 45-day timeframe.
Questioned Costs:
CSN - $0
Effect:
CSN was not compliant with the timeliness rules for two students in our sample.
Cause:
Lack of oversight.
Recommendation:
We recommend that CSN adhere to its established controls to ensure the timely return of funds.
Views of Responsible Officials (unaudited):
Management concurs.