Finding Number: 2022-004 Information on the Federal Program: Federal Agency: United States Department of Education (ED) Program Name: Student Financial Assistance Cluster AL: 84.268 - Federal Direct Student Loans Federal Award Identification Number: N/A Federal Award Year: Year Ended May 31, 2022 Specific Requirement: Required by 34 CFR 668.165, an institution must notify the student, or parent, in writing of (1) the date and amount of disbursement; (2) the student?s right, or parent?s right, to cancel all or a portion of that loan; and (3) the procedure and time by which the student or parent must notify the institution that he or she wishes to cancel the loan. When funds are disbursed by electronic fund transfer and an institution does not implement an affirmative confirmation process, an institution must notify a student no earlier than 30 days before, but no later than 7 days after, crediting the student?s account of their right to cancel all or part of the loan within 30 days. Condition Found: During our audit, we noted the College did not send any disbursement notification letters informing the student, or their parent, of their right to cancel all or a portion of their loan for any Federal Direct Student Loans awarded during the academic year. Context: Based on our sample, which was based on a statistically-based methodology, all 9 students tested who were disbursed Federal Direct Student Loans did not receive the disbursement notification letters informing the student, or their parent, of their right to cancel all or a portion of the loan within the required timeframe. Based on our discussion with management, the disbursement notification letters were not sent for any Federal Direct Student Loan awarded during the 2021-2022 academic year. Questioned Costs: None. Cause and Effect: Financial aid department at the College was not aware that a notification separate from the promissory note needed to be sent to students. As a result, students may not have been aware of their right to cancel their loan or the procedures and time by which the loan may be canceled. Identification as a Repeat Finding, if Applicable: Not a repeat finding Recommendation: We recommend the College implement a control procedure to ensure disbursement notification letters are sent to every student who received direct loan disbursement, within 7 days, to be in compliance with the requirement described above. Views of a Responsible Official and Corrective Action Plan: Management agrees with the finding and the recommendation. See Corrective Action Plan on page 42.
Finding Number: 2022-005 Information on the Federal Program: Federal Agency: United States Department of Education (ED) Program Name: Student Financial Assistance Cluster Federal Award Identification Number: N/A Federal Award Year: Year Ended May 31, 2022 Specific Requirement: Required by 16 CFR 314.4, an institution must design and implement safeguards to control the risks identified through risk assessment including by (1) implementing and periodically review access controls, including technical and physical controls to (i) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of student information and (ii) limit authorized users? access only to student information that they need to perform their duties and functions, (2) identifying and managing the data, personnel, devices, systems and facilities that enable them to achieve business purposes in accordance with their relative importance to business objectives and (3) protect by encryption all student information held or transmitted over external networks and at rest. Condition Found: During our audit, we noted the College does not have adequate safeguards and controls in place to mitigate identified information security risks. Context: Based on our testing, an information security risk assessment was completed by a third-party consultant. This risk assessment identified several instances where sensitive information is not encrypted and stands at risk. Based on our discussion with management, the risk assessment was completed in the Spring of 2022 and they did not have enough time to implement sufficient responses and safeguards to the identified information security risks. Questioned Costs: None. Cause and Effect: The College does not have adequate staff on site needed to efficiently implement information security changes. As a result, there are areas where sensitive student information is at risk. Identification as a Repeat Finding, if Applicable: Not a repeat finding Recommendation: We recommend the College create information security policies and implement safeguards for each of the identified risks within the information technology assessment completed. Views of a Responsible Official and Corrective Action Plan: Management agrees with the finding and the recommendation. See Corrective Action Plan on page 42.
Finding Number: 2022-005 Information on the Federal Program: Federal Agency: United States Department of Education (ED) Program Name: Student Financial Assistance Cluster Federal Award Identification Number: N/A Federal Award Year: Year Ended May 31, 2022 Specific Requirement: Required by 16 CFR 314.4, an institution must design and implement safeguards to control the risks identified through risk assessment including by (1) implementing and periodically review access controls, including technical and physical controls to (i) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of student information and (ii) limit authorized users? access only to student information that they need to perform their duties and functions, (2) identifying and managing the data, personnel, devices, systems and facilities that enable them to achieve business purposes in accordance with their relative importance to business objectives and (3) protect by encryption all student information held or transmitted over external networks and at rest. Condition Found: During our audit, we noted the College does not have adequate safeguards and controls in place to mitigate identified information security risks. Context: Based on our testing, an information security risk assessment was completed by a third-party consultant. This risk assessment identified several instances where sensitive information is not encrypted and stands at risk. Based on our discussion with management, the risk assessment was completed in the Spring of 2022 and they did not have enough time to implement sufficient responses and safeguards to the identified information security risks. Questioned Costs: None. Cause and Effect: The College does not have adequate staff on site needed to efficiently implement information security changes. As a result, there are areas where sensitive student information is at risk. Identification as a Repeat Finding, if Applicable: Not a repeat finding Recommendation: We recommend the College create information security policies and implement safeguards for each of the identified risks within the information technology assessment completed. Views of a Responsible Official and Corrective Action Plan: Management agrees with the finding and the recommendation. See Corrective Action Plan on page 42.
Finding Number: 2022-005 Information on the Federal Program: Federal Agency: United States Department of Education (ED) Program Name: Student Financial Assistance Cluster Federal Award Identification Number: N/A Federal Award Year: Year Ended May 31, 2022 Specific Requirement: Required by 16 CFR 314.4, an institution must design and implement safeguards to control the risks identified through risk assessment including by (1) implementing and periodically review access controls, including technical and physical controls to (i) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of student information and (ii) limit authorized users? access only to student information that they need to perform their duties and functions, (2) identifying and managing the data, personnel, devices, systems and facilities that enable them to achieve business purposes in accordance with their relative importance to business objectives and (3) protect by encryption all student information held or transmitted over external networks and at rest. Condition Found: During our audit, we noted the College does not have adequate safeguards and controls in place to mitigate identified information security risks. Context: Based on our testing, an information security risk assessment was completed by a third-party consultant. This risk assessment identified several instances where sensitive information is not encrypted and stands at risk. Based on our discussion with management, the risk assessment was completed in the Spring of 2022 and they did not have enough time to implement sufficient responses and safeguards to the identified information security risks. Questioned Costs: None. Cause and Effect: The College does not have adequate staff on site needed to efficiently implement information security changes. As a result, there are areas where sensitive student information is at risk. Identification as a Repeat Finding, if Applicable: Not a repeat finding Recommendation: We recommend the College create information security policies and implement safeguards for each of the identified risks within the information technology assessment completed. Views of a Responsible Official and Corrective Action Plan: Management agrees with the finding and the recommendation. See Corrective Action Plan on page 42.
Finding Number: 2022-004 Information on the Federal Program: Federal Agency: United States Department of Education (ED) Program Name: Student Financial Assistance Cluster AL: 84.268 - Federal Direct Student Loans Federal Award Identification Number: N/A Federal Award Year: Year Ended May 31, 2022 Specific Requirement: Required by 34 CFR 668.165, an institution must notify the student, or parent, in writing of (1) the date and amount of disbursement; (2) the student?s right, or parent?s right, to cancel all or a portion of that loan; and (3) the procedure and time by which the student or parent must notify the institution that he or she wishes to cancel the loan. When funds are disbursed by electronic fund transfer and an institution does not implement an affirmative confirmation process, an institution must notify a student no earlier than 30 days before, but no later than 7 days after, crediting the student?s account of their right to cancel all or part of the loan within 30 days. Condition Found: During our audit, we noted the College did not send any disbursement notification letters informing the student, or their parent, of their right to cancel all or a portion of their loan for any Federal Direct Student Loans awarded during the academic year. Context: Based on our sample, which was based on a statistically-based methodology, all 9 students tested who were disbursed Federal Direct Student Loans did not receive the disbursement notification letters informing the student, or their parent, of their right to cancel all or a portion of the loan within the required timeframe. Based on our discussion with management, the disbursement notification letters were not sent for any Federal Direct Student Loan awarded during the 2021-2022 academic year. Questioned Costs: None. Cause and Effect: Financial aid department at the College was not aware that a notification separate from the promissory note needed to be sent to students. As a result, students may not have been aware of their right to cancel their loan or the procedures and time by which the loan may be canceled. Identification as a Repeat Finding, if Applicable: Not a repeat finding Recommendation: We recommend the College implement a control procedure to ensure disbursement notification letters are sent to every student who received direct loan disbursement, within 7 days, to be in compliance with the requirement described above. Views of a Responsible Official and Corrective Action Plan: Management agrees with the finding and the recommendation. See Corrective Action Plan on page 42.
Finding Number: 2022-005 Information on the Federal Program: Federal Agency: United States Department of Education (ED) Program Name: Student Financial Assistance Cluster Federal Award Identification Number: N/A Federal Award Year: Year Ended May 31, 2022 Specific Requirement: Required by 16 CFR 314.4, an institution must design and implement safeguards to control the risks identified through risk assessment including by (1) implementing and periodically review access controls, including technical and physical controls to (i) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of student information and (ii) limit authorized users? access only to student information that they need to perform their duties and functions, (2) identifying and managing the data, personnel, devices, systems and facilities that enable them to achieve business purposes in accordance with their relative importance to business objectives and (3) protect by encryption all student information held or transmitted over external networks and at rest. Condition Found: During our audit, we noted the College does not have adequate safeguards and controls in place to mitigate identified information security risks. Context: Based on our testing, an information security risk assessment was completed by a third-party consultant. This risk assessment identified several instances where sensitive information is not encrypted and stands at risk. Based on our discussion with management, the risk assessment was completed in the Spring of 2022 and they did not have enough time to implement sufficient responses and safeguards to the identified information security risks. Questioned Costs: None. Cause and Effect: The College does not have adequate staff on site needed to efficiently implement information security changes. As a result, there are areas where sensitive student information is at risk. Identification as a Repeat Finding, if Applicable: Not a repeat finding Recommendation: We recommend the College create information security policies and implement safeguards for each of the identified risks within the information technology assessment completed. Views of a Responsible Official and Corrective Action Plan: Management agrees with the finding and the recommendation. See Corrective Action Plan on page 42.
Finding Number: 2022-005 Information on the Federal Program: Federal Agency: United States Department of Education (ED) Program Name: Student Financial Assistance Cluster Federal Award Identification Number: N/A Federal Award Year: Year Ended May 31, 2022 Specific Requirement: Required by 16 CFR 314.4, an institution must design and implement safeguards to control the risks identified through risk assessment including by (1) implementing and periodically review access controls, including technical and physical controls to (i) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of student information and (ii) limit authorized users? access only to student information that they need to perform their duties and functions, (2) identifying and managing the data, personnel, devices, systems and facilities that enable them to achieve business purposes in accordance with their relative importance to business objectives and (3) protect by encryption all student information held or transmitted over external networks and at rest. Condition Found: During our audit, we noted the College does not have adequate safeguards and controls in place to mitigate identified information security risks. Context: Based on our testing, an information security risk assessment was completed by a third-party consultant. This risk assessment identified several instances where sensitive information is not encrypted and stands at risk. Based on our discussion with management, the risk assessment was completed in the Spring of 2022 and they did not have enough time to implement sufficient responses and safeguards to the identified information security risks. Questioned Costs: None. Cause and Effect: The College does not have adequate staff on site needed to efficiently implement information security changes. As a result, there are areas where sensitive student information is at risk. Identification as a Repeat Finding, if Applicable: Not a repeat finding Recommendation: We recommend the College create information security policies and implement safeguards for each of the identified risks within the information technology assessment completed. Views of a Responsible Official and Corrective Action Plan: Management agrees with the finding and the recommendation. See Corrective Action Plan on page 42.
Finding Number: 2022-005 Information on the Federal Program: Federal Agency: United States Department of Education (ED) Program Name: Student Financial Assistance Cluster Federal Award Identification Number: N/A Federal Award Year: Year Ended May 31, 2022 Specific Requirement: Required by 16 CFR 314.4, an institution must design and implement safeguards to control the risks identified through risk assessment including by (1) implementing and periodically review access controls, including technical and physical controls to (i) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of student information and (ii) limit authorized users? access only to student information that they need to perform their duties and functions, (2) identifying and managing the data, personnel, devices, systems and facilities that enable them to achieve business purposes in accordance with their relative importance to business objectives and (3) protect by encryption all student information held or transmitted over external networks and at rest. Condition Found: During our audit, we noted the College does not have adequate safeguards and controls in place to mitigate identified information security risks. Context: Based on our testing, an information security risk assessment was completed by a third-party consultant. This risk assessment identified several instances where sensitive information is not encrypted and stands at risk. Based on our discussion with management, the risk assessment was completed in the Spring of 2022 and they did not have enough time to implement sufficient responses and safeguards to the identified information security risks. Questioned Costs: None. Cause and Effect: The College does not have adequate staff on site needed to efficiently implement information security changes. As a result, there are areas where sensitive student information is at risk. Identification as a Repeat Finding, if Applicable: Not a repeat finding Recommendation: We recommend the College create information security policies and implement safeguards for each of the identified risks within the information technology assessment completed. Views of a Responsible Official and Corrective Action Plan: Management agrees with the finding and the recommendation. See Corrective Action Plan on page 42.