FAC Explorer

Audit 325123

FY End
2024-06-30
Total Expended
$14.18M
Findings
16
Programs
14
Organization: Saint Martin's University (WA)
Year: 2024 Accepted: 2024-10-17
Auditor: Moss Adams

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
503110 2024-001 Significant Deficiency Yes N
503111 2024-001 Significant Deficiency Yes N
503112 2024-001 Significant Deficiency Yes N
503113 2024-001 Significant Deficiency Yes N
503114 2024-001 Significant Deficiency Yes N
503115 2024-001 Significant Deficiency Yes N
503116 2024-002 Significant Deficiency - N
503117 2024-002 Significant Deficiency - N
1079552 2024-001 Significant Deficiency Yes N
1079553 2024-001 Significant Deficiency Yes N
1079554 2024-001 Significant Deficiency Yes N
1079555 2024-001 Significant Deficiency Yes N
1079556 2024-001 Significant Deficiency Yes N
1079557 2024-001 Significant Deficiency Yes N
1079558 2024-002 Significant Deficiency - N
1079559 2024-002 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $8.42M Yes 2
84.063 Federal Pell Grant Program $2.96M Yes 2
59.059 Congressional Grants $1.00M Yes 0
93.178 Nursing Workforce Diversity $566,577 - 0
84.031 Higher Education Institutional Aid $525,999 - 0
84.033 Federal Work-Study Program $295,314 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $186,344 Yes 1
84.116 Fund for the Improvement of Postsecondary Education $132,839 - 0
84.038 Federal Perkins Loan Program $41,876 Yes 1
47.049 Mathematical and Physical Sciences $27,748 - 0
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $11,316 Yes 1
21.009 Volunteer Income Tax Assistance (vita) Matching Grant Program $9,161 - 0
47.074 Biological Sciences $5,272 - 0
93.732 Mental and Behavioral Health Education and Training Grants $2,446 - 0

Contacts

Name Title Type
X1JTKJDRL5M7 Timothy Madeley Auditee
3606882702 Hilary Tanneberg Auditor
No contacts on file

Notes to SEFA

Title: Note A – Basis of Presentation Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The University has elected to not use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Saint Martin’s University (the University) under programs of the federal government for the year ended June 30, 2024. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the University, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the University.
Title: Note C – Federal Perkins Loan Program Administration Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The University has elected to not use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. The University administers the following loan balance outstanding at June 30, 2024.

Finding Details

Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-002
Special Tests and Provisions – Enrollment Reporting – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans Federal Award Number: P063P230416, P268K240416 Award Year: 2023-24 Criteria: Uniform Guidance requires institutions to have internal controls in place to ensure attendance changes for students are reported to the National Student Loan Data System (NSLDS) within at least 60 days of when the student attendance change occurs. It is the University's responsibility to update students' enrollment information timely and accurately as outlined in 34 CFR section 685.309. Condition/context: A sample of 40 students who were borrowers of Federal Direct student loans or recipients of Pell grants and had withdrawn or graduated from the University during the 2023-2024 fiscal year were selected. The enrollment information and withdrawal or graduation date per the University's records was compared to the information reported to the NSLDS. We noted that of the 40 students sampled, 19 students who had graduated and 3 students who had withdrawn from the University were not properly reported to NSLDS within the 60 day requirement. Our sample was not, and was not intended to be, statistically valid. Questioned costs: None Cause/effect: This occurred as a result of lack of well-documented controls over timely reporting to NSLDS. This resulted in late reporting of the information to NSLDS. The enrollment information reported to NSLDS is utilized by ED, the Direct Loan program, lenders, and other institutions to determine in-school status. Repeat finding: No Recommendation: We recommend the University further educate and train those involved in the reporting of enrollment status changes to the NSLDS. We also recommend the University review their documented policies and procedures and ensure controls exist and are well documented in order to ensure enrollment data is reported timely and accurately to NSLDS. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The Director of Financial Aid will continue education on enrollment reporting requirements. The Director and the Registrar will continue to work together on enrollment reporting requirements. The Director of Financial Aid will now report withdrawals due to return to title IV, as well as conferrals, to the National Student Loan Data System directly once the University receives notice of either withdrawal or completion of a degree. Weekly, withdrawals for return to title IV are monitored and reported and now student financial aid will report directly to NSLDS to avoid any lag time in relying on reporting to the Clearinghouse. At the end of each term, after the Registrar has conferred degrees, student financial aid will also acquire the list of students who have graduated and report their graduation status to NSLDS.
Finding 2024-002
Special Tests and Provisions – Enrollment Reporting – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans Federal Award Number: P063P230416, P268K240416 Award Year: 2023-24 Criteria: Uniform Guidance requires institutions to have internal controls in place to ensure attendance changes for students are reported to the National Student Loan Data System (NSLDS) within at least 60 days of when the student attendance change occurs. It is the University's responsibility to update students' enrollment information timely and accurately as outlined in 34 CFR section 685.309. Condition/context: A sample of 40 students who were borrowers of Federal Direct student loans or recipients of Pell grants and had withdrawn or graduated from the University during the 2023-2024 fiscal year were selected. The enrollment information and withdrawal or graduation date per the University's records was compared to the information reported to the NSLDS. We noted that of the 40 students sampled, 19 students who had graduated and 3 students who had withdrawn from the University were not properly reported to NSLDS within the 60 day requirement. Our sample was not, and was not intended to be, statistically valid. Questioned costs: None Cause/effect: This occurred as a result of lack of well-documented controls over timely reporting to NSLDS. This resulted in late reporting of the information to NSLDS. The enrollment information reported to NSLDS is utilized by ED, the Direct Loan program, lenders, and other institutions to determine in-school status. Repeat finding: No Recommendation: We recommend the University further educate and train those involved in the reporting of enrollment status changes to the NSLDS. We also recommend the University review their documented policies and procedures and ensure controls exist and are well documented in order to ensure enrollment data is reported timely and accurately to NSLDS. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The Director of Financial Aid will continue education on enrollment reporting requirements. The Director and the Registrar will continue to work together on enrollment reporting requirements. The Director of Financial Aid will now report withdrawals due to return to title IV, as well as conferrals, to the National Student Loan Data System directly once the University receives notice of either withdrawal or completion of a degree. Weekly, withdrawals for return to title IV are monitored and reported and now student financial aid will report directly to NSLDS to avoid any lag time in relying on reporting to the Clearinghouse. At the end of each term, after the Registrar has conferred degrees, student financial aid will also acquire the list of students who have graduated and report their graduation status to NSLDS.
Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-001
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S. Department of Education Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education Assistance for College and Higher Education Grants Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416 Award Year: 2023-24, 2022-23 Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and scope of their activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023. Condition/context: Based on our review of the information provided by the University, they are currently in the process of reviewing and finalizing their information security program. The written draft provided did not appear to have been updated in several years and did not clearly address all of the required elements in 16 CFR 314.4. Questioned costs: None. Cause/effect: The Integrated Technology Services department has experienced staff shortages which have contributed to the delay in implementation of this standard. The absence of a well-designed and documented policy addressing the standards set forth under the act could put the security, confidentiality, and integrity of student information at risk. Repeat finding: Yes, 2023-002 Recommendation: We recommend the University review the compliance requirements and update their written policy to ensure that it addresses all the required elements. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it continues to comply with all relevant regulations. The University is currently in the process of formally adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment. This ongoing work in the interest of the security, confidentiality, and integrity of student information will position us well to make the recommended updates to our policy.
Finding 2024-002
Special Tests and Provisions – Enrollment Reporting – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans Federal Award Number: P063P230416, P268K240416 Award Year: 2023-24 Criteria: Uniform Guidance requires institutions to have internal controls in place to ensure attendance changes for students are reported to the National Student Loan Data System (NSLDS) within at least 60 days of when the student attendance change occurs. It is the University's responsibility to update students' enrollment information timely and accurately as outlined in 34 CFR section 685.309. Condition/context: A sample of 40 students who were borrowers of Federal Direct student loans or recipients of Pell grants and had withdrawn or graduated from the University during the 2023-2024 fiscal year were selected. The enrollment information and withdrawal or graduation date per the University's records was compared to the information reported to the NSLDS. We noted that of the 40 students sampled, 19 students who had graduated and 3 students who had withdrawn from the University were not properly reported to NSLDS within the 60 day requirement. Our sample was not, and was not intended to be, statistically valid. Questioned costs: None Cause/effect: This occurred as a result of lack of well-documented controls over timely reporting to NSLDS. This resulted in late reporting of the information to NSLDS. The enrollment information reported to NSLDS is utilized by ED, the Direct Loan program, lenders, and other institutions to determine in-school status. Repeat finding: No Recommendation: We recommend the University further educate and train those involved in the reporting of enrollment status changes to the NSLDS. We also recommend the University review their documented policies and procedures and ensure controls exist and are well documented in order to ensure enrollment data is reported timely and accurately to NSLDS. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The Director of Financial Aid will continue education on enrollment reporting requirements. The Director and the Registrar will continue to work together on enrollment reporting requirements. The Director of Financial Aid will now report withdrawals due to return to title IV, as well as conferrals, to the National Student Loan Data System directly once the University receives notice of either withdrawal or completion of a degree. Weekly, withdrawals for return to title IV are monitored and reported and now student financial aid will report directly to NSLDS to avoid any lag time in relying on reporting to the Clearinghouse. At the end of each term, after the Registrar has conferred degrees, student financial aid will also acquire the list of students who have graduated and report their graduation status to NSLDS.
Finding 2024-002
Special Tests and Provisions – Enrollment Reporting – Significant Deficiency in Internal Controls over Compliance Student Financial Assistance Cluster U.S Department of Education Federal Assistance Listing Number: 84.063, 84.268 Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans Federal Award Number: P063P230416, P268K240416 Award Year: 2023-24 Criteria: Uniform Guidance requires institutions to have internal controls in place to ensure attendance changes for students are reported to the National Student Loan Data System (NSLDS) within at least 60 days of when the student attendance change occurs. It is the University's responsibility to update students' enrollment information timely and accurately as outlined in 34 CFR section 685.309. Condition/context: A sample of 40 students who were borrowers of Federal Direct student loans or recipients of Pell grants and had withdrawn or graduated from the University during the 2023-2024 fiscal year were selected. The enrollment information and withdrawal or graduation date per the University's records was compared to the information reported to the NSLDS. We noted that of the 40 students sampled, 19 students who had graduated and 3 students who had withdrawn from the University were not properly reported to NSLDS within the 60 day requirement. Our sample was not, and was not intended to be, statistically valid. Questioned costs: None Cause/effect: This occurred as a result of lack of well-documented controls over timely reporting to NSLDS. This resulted in late reporting of the information to NSLDS. The enrollment information reported to NSLDS is utilized by ED, the Direct Loan program, lenders, and other institutions to determine in-school status. Repeat finding: No Recommendation: We recommend the University further educate and train those involved in the reporting of enrollment status changes to the NSLDS. We also recommend the University review their documented policies and procedures and ensure controls exist and are well documented in order to ensure enrollment data is reported timely and accurately to NSLDS. Views of responsible officials and planned corrective actions: Saint Martin’s University management agrees with the finding. The Director of Financial Aid will continue education on enrollment reporting requirements. The Director and the Registrar will continue to work together on enrollment reporting requirements. The Director of Financial Aid will now report withdrawals due to return to title IV, as well as conferrals, to the National Student Loan Data System directly once the University receives notice of either withdrawal or completion of a degree. Weekly, withdrawals for return to title IV are monitored and reported and now student financial aid will report directly to NSLDS to avoid any lag time in relying on reporting to the Clearinghouse. At the end of each term, after the Registrar has conferred degrees, student financial aid will also acquire the list of students who have graduated and report their graduation status to NSLDS.