FAC Explorer

Audit 323873

FY End
2024-05-31
Total Expended
$36.40M
Findings
24
Programs
14
Organization: Augsburg University (MN)
Year: 2024 Accepted: 2024-10-04
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
501787 2024-001 Significant Deficiency - N
501788 2024-001 Significant Deficiency - N
501789 2024-001 Significant Deficiency - N
501790 2024-001 Significant Deficiency - N
501791 2024-001 Significant Deficiency - N
501792 2024-001 Significant Deficiency - N
501793 2024-002 Significant Deficiency - N
501794 2024-002 Significant Deficiency - N
501795 2024-002 Significant Deficiency - N
501796 2024-002 Significant Deficiency - N
501797 2024-002 Significant Deficiency - N
501798 2024-002 Significant Deficiency - N
1078229 2024-001 Significant Deficiency - N
1078230 2024-001 Significant Deficiency - N
1078231 2024-001 Significant Deficiency - N
1078232 2024-001 Significant Deficiency - N
1078233 2024-001 Significant Deficiency - N
1078234 2024-001 Significant Deficiency - N
1078235 2024-002 Significant Deficiency - N
1078236 2024-002 Significant Deficiency - N
1078237 2024-002 Significant Deficiency - N
1078238 2024-002 Significant Deficiency - N
1078239 2024-002 Significant Deficiency - N
1078240 2024-002 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $23.74M Yes 2
84.063 Federal Pell Grant Program $8.18M Yes 2
84.038 Federal Perkins Loan Program $1.65M Yes 2
84.007 Federal Supplemental Educational Opportunity Grants $685,822 Yes 2
84.033 Federal Work-Study Program $471,869 Yes 2
84.217 Trio_mcnair Post-Baccalaureate Achievement $264,834 - 0
84.042 Trio_student Support Services $243,428 - 0
47.050 Geosciences $241,355 - 0
47.076 Education and Human Resources $94,595 - 0
43.008 Education $46,984 - 0
94.021 Volunteer Generation Fund $40,956 - 0
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $33,917 Yes 2
47.074 Biological Sciences $22,138 - 0
93.242 Mental Health Research Grants $20,856 - 0

Contacts

Name Title Type
H9TECNLDPD79 Gerri Stepanek Auditee
6123301032 Deirdre Hodgson Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. During the year ended May 31, 2024, the University passed through $205,428 to subrecipients. De Minimis Rate Used: N Rate Explanation: Augsburg University has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal grant activity of Augsburg University and is presented on the accrual basis of accounting. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Therefore, some amounts presented in this schedule may differ from amounts presented in or used in the preparation of the basic financial statements.
Title: PERKINS LOAN PROGRAM Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. During the year ended May 31, 2024, the University passed through $205,428 to subrecipients. De Minimis Rate Used: N Rate Explanation: Augsburg University has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. Outstanding balance of Perkins loans administered by Augsburg University as of May 31, 2024 was as follows: Federal Perkins Loan Program (CFDA #84.038) Loan Balance $948,108
Title: STUDENT FINANCIAL AID INSTITUTIONAL AND PROGRAM ELIGIBILITY METRICS Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. During the year ended May 31, 2024, the University passed through $205,428 to subrecipients. De Minimis Rate Used: N Rate Explanation: Augsburg University has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The University is in compliance with the following institutional and program eligibility requirements under the Higher Education Act of 1965 and Federal regulations under 34 CFR 668.23: • Correspondence courses the institution offers under 34 CFR 600.7(b) and (g) • Regular students that enroll in correspondence courses under 34 CFR 600.7(b) and (g) • Institution’s regular students that are incarcerated under 34 CFR 600.7(c) and (g) • Completion rates for confined or incarcerated individuals enrolled in non-degree programs at nonprofit institutions under 34 CFR 600.7(c)(3)(ii) and (g) • Institution’s regular students that lack a high school diploma or its equivalent under 34 CFR 600.7(d) and (g) • Completion rates for short-term programs under 34 CFR 668.8(f) and (g) • Placement rates for short-term programs under https://www.ecfr.gov/current/title-34/subtitle-B/chapter-VI/part-668/subpart-A/section-668.8 34 CFR 668.8(e)(2)

Finding Details

Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. In addition, regulations require that an institution make necessary corrections and return the records within 10 days for any roster files that don’t pass the NSLDS enrollment reporting edits. Condition: We noted that 2 out of 40 students tested did not have their enrollment date correctly reported in NSLDS. Questioned costs: None Context: The University did not have an effective process in place to report the enrollment date of students that enrolled in courses in a semester but then never attended. Cause: The University’s processes and controls did not ensure that student enrollment dates were accurately reported for a subset of the student population. Effect: The NSLDS system is not updated with the accurate student information which can cause the students to not properly enter the repayment period. Repeat Finding: No Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.007, 84.033, 84.063, 84.268 Federal Award Identification Number and Year: N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were five items missing entirely from the Written Information Security Program: B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: o Implement multi-factor authentication for anyone accessing customer information on the institution’s system o Dispose of customer information securely o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of responsible officials: There is no disagreement with the audit finding.