Finding 2023-002: Internal controls within the Student Financial Assistance (SFA)
IT Systems
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA has two primary student financial assistance (SFA) information technology (IT) systems and related applications that are used to process student financial assistance eligibility and disbursements as well as various other special tests and provisions required by the United States Department of Education.
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Cause:
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Effect or Potential Effect:
The data used within the IT systems and applications may not be complete or accurate or the applications may not function as intended.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to ensure the IT systems are tested or implement compensating controls to ensure the data is accurate and complete.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems controls, or compensating controls exist and are in place.
Finding 2023-003: SFA Review and Approval Internal Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA does not have review and approval internal controls or policies in place over the following compliance requirements:
• Cash management
• Eligibility
• Reporting
• Verification
• Enrollment Reporting
• Incentive Compensation
• Satisfactory Academic Progress
Cause:
While Atrium Health CMHA has procedures in place to process and record student financial assistance transactions, internal controls are not in place to review and approve the underlying transactions, reports and policies.
Effect or Potential Effect:
The underlying data may not be complete and accurate resulting in Atrium Health CMHA being noncompliant with the applicable compliance requirements. Reports may not be complete and accurate. Policies may not be up to date with the Department of Education requirements.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should develop and implement internal controls related to each of the compliance requirements to ensure the completeness and accuracy of the underlying data.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to incorporate and document transactional review and approval to ensure completeness and accuracy of the underlying data and develop policies as applicable.
Finding 2023-004: Notification of Disbursements to or on Behalf of Students
Identification of the federal program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or specific requirement (including statutory, regulatory or other citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
34 CFR 668.165(a)(1) – Before an institution disburses title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans.
Condition:
When Direct Loans are being credited to a student’s account, an institution must notify the student, or parent, in writing of (1) the date and amount of the disbursement; (2) the student’s right, or parent’s right, to cancel all or a portion of that loan or loan disbursement and have the loan proceeds returned to the holder of that loan; and (3) the procedure and time by which the student or parent must notify the institution that he or she wishes to cancel the loan. Atrium Health CMHA was unable to provide the notification letters sent to the student as they are not maintained.
Cause:
The current IT system does not allow for the letters sent to be saved.
Effect or potential effect:
The disbursement notification letters may not have be sent in accordance with the regulations.
Questioned costs:
None.
Context:
Total expenditures for the Student Financial Assistance Cluster were $2,006,561 for the year ended December 31, 2023.
Identification as a repeat finding, if applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to retain all disbursement notification letters sent to students.
Views of responsible officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems are changed such that notification letters can be retained or a control exists whereby hard-copies of notification letters are maintained.
Finding 2023-005: Gramm-Leach-Bliley Act (GLBA) – Student Information Security Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314).
Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts.
Condition:
Atrium Health CMHA did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of certain elements of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program did not address certain required elements per 16 CFR 314.4 to ensure compliance with federal regulations.
Cause:
Atrium Health CMHA did not retain sufficient documentation of their review procedures over certain elements of the Information Security Program.
Atrium Health CMHA did not include certain required elements within its Information Security Program.
Effect or Potential Effect:
The written Information Security Program is not compliant with federal regulations.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately.
Views of Responsible Officials:
Atrium Health CMHA management will ensure that all GLBA requirements over the Information Security Program are both documented completely and inclusive in scope of both general CMHA IT systems as well as IT systems specific to the SFA program.
Finding 2023-002: Internal controls within the Student Financial Assistance (SFA)
IT Systems
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA has two primary student financial assistance (SFA) information technology (IT) systems and related applications that are used to process student financial assistance eligibility and disbursements as well as various other special tests and provisions required by the United States Department of Education.
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Cause:
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Effect or Potential Effect:
The data used within the IT systems and applications may not be complete or accurate or the applications may not function as intended.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to ensure the IT systems are tested or implement compensating controls to ensure the data is accurate and complete.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems controls, or compensating controls exist and are in place.
Finding 2023-003: SFA Review and Approval Internal Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA does not have review and approval internal controls or policies in place over the following compliance requirements:
• Cash management
• Eligibility
• Reporting
• Verification
• Enrollment Reporting
• Incentive Compensation
• Satisfactory Academic Progress
Cause:
While Atrium Health CMHA has procedures in place to process and record student financial assistance transactions, internal controls are not in place to review and approve the underlying transactions, reports and policies.
Effect or Potential Effect:
The underlying data may not be complete and accurate resulting in Atrium Health CMHA being noncompliant with the applicable compliance requirements. Reports may not be complete and accurate. Policies may not be up to date with the Department of Education requirements.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should develop and implement internal controls related to each of the compliance requirements to ensure the completeness and accuracy of the underlying data.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to incorporate and document transactional review and approval to ensure completeness and accuracy of the underlying data and develop policies as applicable.
Finding 2023-004: Notification of Disbursements to or on Behalf of Students
Identification of the federal program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or specific requirement (including statutory, regulatory or other citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
34 CFR 668.165(a)(1) – Before an institution disburses title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans.
Condition:
When Direct Loans are being credited to a student’s account, an institution must notify the student, or parent, in writing of (1) the date and amount of the disbursement; (2) the student’s right, or parent’s right, to cancel all or a portion of that loan or loan disbursement and have the loan proceeds returned to the holder of that loan; and (3) the procedure and time by which the student or parent must notify the institution that he or she wishes to cancel the loan. Atrium Health CMHA was unable to provide the notification letters sent to the student as they are not maintained.
Cause:
The current IT system does not allow for the letters sent to be saved.
Effect or potential effect:
The disbursement notification letters may not have be sent in accordance with the regulations.
Questioned costs:
None.
Context:
Total expenditures for the Student Financial Assistance Cluster were $2,006,561 for the year ended December 31, 2023.
Identification as a repeat finding, if applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to retain all disbursement notification letters sent to students.
Views of responsible officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems are changed such that notification letters can be retained or a control exists whereby hard-copies of notification letters are maintained.
Finding 2023-005: Gramm-Leach-Bliley Act (GLBA) – Student Information Security Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314).
Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts.
Condition:
Atrium Health CMHA did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of certain elements of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program did not address certain required elements per 16 CFR 314.4 to ensure compliance with federal regulations.
Cause:
Atrium Health CMHA did not retain sufficient documentation of their review procedures over certain elements of the Information Security Program.
Atrium Health CMHA did not include certain required elements within its Information Security Program.
Effect or Potential Effect:
The written Information Security Program is not compliant with federal regulations.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately.
Views of Responsible Officials:
Atrium Health CMHA management will ensure that all GLBA requirements over the Information Security Program are both documented completely and inclusive in scope of both general CMHA IT systems as well as IT systems specific to the SFA program.
Finding 2023-002: Internal controls within the Student Financial Assistance (SFA)
IT Systems
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA has two primary student financial assistance (SFA) information technology (IT) systems and related applications that are used to process student financial assistance eligibility and disbursements as well as various other special tests and provisions required by the United States Department of Education.
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Cause:
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Effect or Potential Effect:
The data used within the IT systems and applications may not be complete or accurate or the applications may not function as intended.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to ensure the IT systems are tested or implement compensating controls to ensure the data is accurate and complete.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems controls, or compensating controls exist and are in place.
Finding 2023-003: SFA Review and Approval Internal Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA does not have review and approval internal controls or policies in place over the following compliance requirements:
• Cash management
• Eligibility
• Reporting
• Verification
• Enrollment Reporting
• Incentive Compensation
• Satisfactory Academic Progress
Cause:
While Atrium Health CMHA has procedures in place to process and record student financial assistance transactions, internal controls are not in place to review and approve the underlying transactions, reports and policies.
Effect or Potential Effect:
The underlying data may not be complete and accurate resulting in Atrium Health CMHA being noncompliant with the applicable compliance requirements. Reports may not be complete and accurate. Policies may not be up to date with the Department of Education requirements.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should develop and implement internal controls related to each of the compliance requirements to ensure the completeness and accuracy of the underlying data.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to incorporate and document transactional review and approval to ensure completeness and accuracy of the underlying data and develop policies as applicable.
Finding 2023-004: Notification of Disbursements to or on Behalf of Students
Identification of the federal program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or specific requirement (including statutory, regulatory or other citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
34 CFR 668.165(a)(1) – Before an institution disburses title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans.
Condition:
When Direct Loans are being credited to a student’s account, an institution must notify the student, or parent, in writing of (1) the date and amount of the disbursement; (2) the student’s right, or parent’s right, to cancel all or a portion of that loan or loan disbursement and have the loan proceeds returned to the holder of that loan; and (3) the procedure and time by which the student or parent must notify the institution that he or she wishes to cancel the loan. Atrium Health CMHA was unable to provide the notification letters sent to the student as they are not maintained.
Cause:
The current IT system does not allow for the letters sent to be saved.
Effect or potential effect:
The disbursement notification letters may not have be sent in accordance with the regulations.
Questioned costs:
None.
Context:
Total expenditures for the Student Financial Assistance Cluster were $2,006,561 for the year ended December 31, 2023.
Identification as a repeat finding, if applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to retain all disbursement notification letters sent to students.
Views of responsible officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems are changed such that notification letters can be retained or a control exists whereby hard-copies of notification letters are maintained.
Finding 2023-005: Gramm-Leach-Bliley Act (GLBA) – Student Information Security Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314).
Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts.
Condition:
Atrium Health CMHA did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of certain elements of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program did not address certain required elements per 16 CFR 314.4 to ensure compliance with federal regulations.
Cause:
Atrium Health CMHA did not retain sufficient documentation of their review procedures over certain elements of the Information Security Program.
Atrium Health CMHA did not include certain required elements within its Information Security Program.
Effect or Potential Effect:
The written Information Security Program is not compliant with federal regulations.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately.
Views of Responsible Officials:
Atrium Health CMHA management will ensure that all GLBA requirements over the Information Security Program are both documented completely and inclusive in scope of both general CMHA IT systems as well as IT systems specific to the SFA program.
Finding 2023-002: Internal controls within the Student Financial Assistance (SFA)
IT Systems
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA has two primary student financial assistance (SFA) information technology (IT) systems and related applications that are used to process student financial assistance eligibility and disbursements as well as various other special tests and provisions required by the United States Department of Education.
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Cause:
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Effect or Potential Effect:
The data used within the IT systems and applications may not be complete or accurate or the applications may not function as intended.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to ensure the IT systems are tested or implement compensating controls to ensure the data is accurate and complete.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems controls, or compensating controls exist and are in place.
Finding 2023-003: SFA Review and Approval Internal Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA does not have review and approval internal controls or policies in place over the following compliance requirements:
• Cash management
• Eligibility
• Reporting
• Verification
• Enrollment Reporting
• Incentive Compensation
• Satisfactory Academic Progress
Cause:
While Atrium Health CMHA has procedures in place to process and record student financial assistance transactions, internal controls are not in place to review and approve the underlying transactions, reports and policies.
Effect or Potential Effect:
The underlying data may not be complete and accurate resulting in Atrium Health CMHA being noncompliant with the applicable compliance requirements. Reports may not be complete and accurate. Policies may not be up to date with the Department of Education requirements.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should develop and implement internal controls related to each of the compliance requirements to ensure the completeness and accuracy of the underlying data.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to incorporate and document transactional review and approval to ensure completeness and accuracy of the underlying data and develop policies as applicable.
Finding 2023-004: Notification of Disbursements to or on Behalf of Students
Identification of the federal program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or specific requirement (including statutory, regulatory or other citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
34 CFR 668.165(a)(1) – Before an institution disburses title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans.
Condition:
When Direct Loans are being credited to a student’s account, an institution must notify the student, or parent, in writing of (1) the date and amount of the disbursement; (2) the student’s right, or parent’s right, to cancel all or a portion of that loan or loan disbursement and have the loan proceeds returned to the holder of that loan; and (3) the procedure and time by which the student or parent must notify the institution that he or she wishes to cancel the loan. Atrium Health CMHA was unable to provide the notification letters sent to the student as they are not maintained.
Cause:
The current IT system does not allow for the letters sent to be saved.
Effect or potential effect:
The disbursement notification letters may not have be sent in accordance with the regulations.
Questioned costs:
None.
Context:
Total expenditures for the Student Financial Assistance Cluster were $2,006,561 for the year ended December 31, 2023.
Identification as a repeat finding, if applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to retain all disbursement notification letters sent to students.
Views of responsible officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems are changed such that notification letters can be retained or a control exists whereby hard-copies of notification letters are maintained.
Finding 2023-005: Gramm-Leach-Bliley Act (GLBA) – Student Information Security Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314).
Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts.
Condition:
Atrium Health CMHA did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of certain elements of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program did not address certain required elements per 16 CFR 314.4 to ensure compliance with federal regulations.
Cause:
Atrium Health CMHA did not retain sufficient documentation of their review procedures over certain elements of the Information Security Program.
Atrium Health CMHA did not include certain required elements within its Information Security Program.
Effect or Potential Effect:
The written Information Security Program is not compliant with federal regulations.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately.
Views of Responsible Officials:
Atrium Health CMHA management will ensure that all GLBA requirements over the Information Security Program are both documented completely and inclusive in scope of both general CMHA IT systems as well as IT systems specific to the SFA program.
Finding 2023-002: Internal controls within the Student Financial Assistance (SFA)
IT Systems
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA has two primary student financial assistance (SFA) information technology (IT) systems and related applications that are used to process student financial assistance eligibility and disbursements as well as various other special tests and provisions required by the United States Department of Education.
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Cause:
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Effect or Potential Effect:
The data used within the IT systems and applications may not be complete or accurate or the applications may not function as intended.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to ensure the IT systems are tested or implement compensating controls to ensure the data is accurate and complete.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems controls, or compensating controls exist and are in place.
Finding 2023-003: SFA Review and Approval Internal Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA does not have review and approval internal controls or policies in place over the following compliance requirements:
• Cash management
• Eligibility
• Reporting
• Verification
• Enrollment Reporting
• Incentive Compensation
• Satisfactory Academic Progress
Cause:
While Atrium Health CMHA has procedures in place to process and record student financial assistance transactions, internal controls are not in place to review and approve the underlying transactions, reports and policies.
Effect or Potential Effect:
The underlying data may not be complete and accurate resulting in Atrium Health CMHA being noncompliant with the applicable compliance requirements. Reports may not be complete and accurate. Policies may not be up to date with the Department of Education requirements.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should develop and implement internal controls related to each of the compliance requirements to ensure the completeness and accuracy of the underlying data.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to incorporate and document transactional review and approval to ensure completeness and accuracy of the underlying data and develop policies as applicable.
Finding 2023-004: Notification of Disbursements to or on Behalf of Students
Identification of the federal program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or specific requirement (including statutory, regulatory or other citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
34 CFR 668.165(a)(1) – Before an institution disburses title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans.
Condition:
When Direct Loans are being credited to a student’s account, an institution must notify the student, or parent, in writing of (1) the date and amount of the disbursement; (2) the student’s right, or parent’s right, to cancel all or a portion of that loan or loan disbursement and have the loan proceeds returned to the holder of that loan; and (3) the procedure and time by which the student or parent must notify the institution that he or she wishes to cancel the loan. Atrium Health CMHA was unable to provide the notification letters sent to the student as they are not maintained.
Cause:
The current IT system does not allow for the letters sent to be saved.
Effect or potential effect:
The disbursement notification letters may not have be sent in accordance with the regulations.
Questioned costs:
None.
Context:
Total expenditures for the Student Financial Assistance Cluster were $2,006,561 for the year ended December 31, 2023.
Identification as a repeat finding, if applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to retain all disbursement notification letters sent to students.
Views of responsible officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems are changed such that notification letters can be retained or a control exists whereby hard-copies of notification letters are maintained.
Finding 2023-005: Gramm-Leach-Bliley Act (GLBA) – Student Information Security Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314).
Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts.
Condition:
Atrium Health CMHA did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of certain elements of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program did not address certain required elements per 16 CFR 314.4 to ensure compliance with federal regulations.
Cause:
Atrium Health CMHA did not retain sufficient documentation of their review procedures over certain elements of the Information Security Program.
Atrium Health CMHA did not include certain required elements within its Information Security Program.
Effect or Potential Effect:
The written Information Security Program is not compliant with federal regulations.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately.
Views of Responsible Officials:
Atrium Health CMHA management will ensure that all GLBA requirements over the Information Security Program are both documented completely and inclusive in scope of both general CMHA IT systems as well as IT systems specific to the SFA program.
Finding 2023-002: Internal controls within the Student Financial Assistance (SFA)
IT Systems
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA has two primary student financial assistance (SFA) information technology (IT) systems and related applications that are used to process student financial assistance eligibility and disbursements as well as various other special tests and provisions required by the United States Department of Education.
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Cause:
Internal controls over the accuracy and completeness of the data and applications within the SFA IT systems at Atrium Health CMHA were not evaluated for fiscal year 2023.
Effect or Potential Effect:
The data used within the IT systems and applications may not be complete or accurate or the applications may not function as intended.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to ensure the IT systems are tested or implement compensating controls to ensure the data is accurate and complete.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems controls, or compensating controls exist and are in place.
Finding 2023-003: SFA Review and Approval Internal Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
Condition:
Atrium Health CMHA does not have review and approval internal controls or policies in place over the following compliance requirements:
• Cash management
• Eligibility
• Reporting
• Verification
• Enrollment Reporting
• Incentive Compensation
• Satisfactory Academic Progress
Cause:
While Atrium Health CMHA has procedures in place to process and record student financial assistance transactions, internal controls are not in place to review and approve the underlying transactions, reports and policies.
Effect or Potential Effect:
The underlying data may not be complete and accurate resulting in Atrium Health CMHA being noncompliant with the applicable compliance requirements. Reports may not be complete and accurate. Policies may not be up to date with the Department of Education requirements.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should develop and implement internal controls related to each of the compliance requirements to ensure the completeness and accuracy of the underlying data.
Views of Responsible Officials:
Atrium Health CMHA management will develop a plan to incorporate and document transactional review and approval to ensure completeness and accuracy of the underlying data and develop policies as applicable.
Finding 2023-004: Notification of Disbursements to or on Behalf of Students
Identification of the federal program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 2023; July 1, 2023 through June 30, 2024
Criteria or specific requirement (including statutory, regulatory or other citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
34 CFR 668.165(a)(1) – Before an institution disburses title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans.
Condition:
When Direct Loans are being credited to a student’s account, an institution must notify the student, or parent, in writing of (1) the date and amount of the disbursement; (2) the student’s right, or parent’s right, to cancel all or a portion of that loan or loan disbursement and have the loan proceeds returned to the holder of that loan; and (3) the procedure and time by which the student or parent must notify the institution that he or she wishes to cancel the loan. Atrium Health CMHA was unable to provide the notification letters sent to the student as they are not maintained.
Cause:
The current IT system does not allow for the letters sent to be saved.
Effect or potential effect:
The disbursement notification letters may not have be sent in accordance with the regulations.
Questioned costs:
None.
Context:
Total expenditures for the Student Financial Assistance Cluster were $2,006,561 for the year ended December 31, 2023.
Identification as a repeat finding, if applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should implement internal controls to retain all disbursement notification letters sent to students.
Views of responsible officials:
Atrium Health CMHA management will develop a plan to ensure that the IT systems are changed such that notification letters can be retained or a control exists whereby hard-copies of notification letters are maintained.
Finding 2023-005: Gramm-Leach-Bliley Act (GLBA) – Student Information Security Controls
Identification of the Federal Program:
Federal Agency: United States Department of Education
Federal Cluster: Student Financial Assistance
Assistance Listing No.: 84.268 Federal Direct Student Loans (Direct Loans), 84.063 Federal Pell Grant Program
Award Periods: July 1, 2022 through June 30, 203; July 1, 2023 through June 30, 2024
Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation):
Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding internal control:
“The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314).
Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts.
Condition:
Atrium Health CMHA did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of certain elements of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program did not address certain required elements per 16 CFR 314.4 to ensure compliance with federal regulations.
Cause:
Atrium Health CMHA did not retain sufficient documentation of their review procedures over certain elements of the Information Security Program.
Atrium Health CMHA did not include certain required elements within its Information Security Program.
Effect or Potential Effect:
The written Information Security Program is not compliant with federal regulations.
Questioned Costs:
None
Context:
Total federal expenditures for the Student Financial Assistance Cluster recorded on the Schedule of Expenditures of Federal Awards (Schedule) totaled $2,006,561 for the year ended December 31, 2023.
Identification as a Repeat Finding, if Applicable:
This finding is not a repeat finding from the prior year.
Recommendation:
Atrium Health CMHA should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately.
Views of Responsible Officials:
Atrium Health CMHA management will ensure that all GLBA requirements over the Information Security Program are both documented completely and inclusive in scope of both general CMHA IT systems as well as IT systems specific to the SFA program.