FAC Explorer

Audit 325532

FY End
2024-05-31
Total Expended
$6.97M
Findings
12
Programs
7
Organization: Warner Pacific University (OR)
Year: 2024 Accepted: 2024-10-22
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
503368 2024-001 Significant Deficiency Yes N
503369 2024-001 Significant Deficiency Yes N
503370 2024-001 Significant Deficiency Yes N
503371 2024-001 Significant Deficiency Yes N
503372 2024-001 Significant Deficiency Yes N
503373 2024-001 Significant Deficiency Yes N
1079810 2024-001 Significant Deficiency Yes N
1079811 2024-001 Significant Deficiency Yes N
1079812 2024-001 Significant Deficiency Yes N
1079813 2024-001 Significant Deficiency Yes N
1079814 2024-001 Significant Deficiency Yes N
1079815 2024-001 Significant Deficiency Yes N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $5.04M Yes 1
84.063 Federal Pell Grant Program $1.36M Yes 1
84.031 Higher Education_institutional Aid $198,474 - 0
84.033 Federal Work-Study Program $147,576 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $121,889 Yes 1
84.038 Federal Perkins Loan Program $89,515 Yes 1
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $13,202 Yes 1

Contacts

Name Title Type
NSSLBY9PG9L5 Kevin Finn Auditee
5035171206 Brenda Scherer Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule, if applicable, represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The University has not elected to use the 10-percent de-minimis indirect cost rate as allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Warner Pacific University (the University) under programs of the federal government for the year ended May 31, 2024. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the University, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the University.
Title: FEDERAL STUDENT LOAN PROGRAM Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule, if applicable, represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The University has not elected to use the 10-percent de-minimis indirect cost rate as allowed under the Uniform Guidance. The balance of loans outstanding at May 31, 2024 consists of: Program Title: Federal Perkins Loan Program Assistance Listing Number: 84.038 Amount Outstanding: $100,366

Finding Details

Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: 84.007 – Federal Supplemental Education Opportunity Grants 84.033 – Federal Work Study Program 84.038 – Federal Perkins Loans 84.063 – Federal Pell Grant Program 84.268 – Federal Direct Student Loans 84.379 – Teacher Education Assistance for College and Higher Education Grants Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Period: June 1, 2023 to May 31, 2024 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There is one item missing entirely from the WISP: CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution). These risks could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Additionally, the WISP should assess the sufficiency of any safeguards in place to control these risks. There are five items included in draft policies; however, they are not implemented as of the end of the fiscal year: The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP: • Implement and periodically review access controls. • Assess apps developed by the institution • Implement multi-factor authentication for anyone accessing customer information on the institution’s system • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. In addition, the draft policy relating to how the institution will oversee its information system service providers (16 CFR 314.4(f)) was not formally implemented. Questioned Costs: N/A Context: These new GLBA requirements became applicable on June 9, 2023. However, there are a few elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year. Effect: The student personal information could be vulnerable. Repeat Finding: Yes – 2023-003 Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.