Criteria or specific requirement – Special Tests and Provisions – Enrollment Reporting (34 CFR 690.93(b)(2); 34 CFR 682.610; 34 CFR 685.309). Institutions are required to report enrollment information.
Condition – The University’s processes did not ensure timely and accurate student status reporting to National Student Loan Data System (NSLDS).
Questioned costs – None
Context – Out of the population of 245 students with student attendance changes a sample of 25 students was selected for testing. Our sampling method was not, and was not intended to be, statistically valid. There were 14 attributes tested for each student with at least one status change, which were as follows:
Campus-Level records:
1. OPEID Number
2. Enrollment Effective Date
3. Enrollment Status
4. Certification Date
Program-Level records
5. OPEID
6. CIP Code
7. CIP Year
8. Credential Level
9. Published Program Length Measurement
10. Published Program Length
11. Program Begin Date
12. Program Enrollment Status
13. Program Enrollment Effective Date
Other Records
14. Student changed his or her permanent address.
The University did not report 5 student’s statuses timely, the University reported the incorrect status change date for 12 students, the incorrect program length for Master’s programs was reported for 6 students and 2 students had never been reported.
Effect – The University did not report the status changes timely.
Cause – The University’s processes did not ensure status changes were reported timely and accurately.
Identification as a repeat finding, if applicable – 2023-002 and 2022-001
Recommendation – The University should update their controls to ensure changes in students’ enrollment status are reported in a timely and accurate manner.
Views of responsible officials, reason for recurrence and planned corrective actions - Upon reflection of the term end date and subsequently the status change date, the Office of Registrar updated the term end date to the last date of educationally related activities more widely known as the last date of the final examinations for each relevant term.
Upon consultation with the Office of the Provost and the appropriate Deans of the affected Colleges, the program length for the Master’s programs at the University will be updated to two (2), for those programs between 30 and 36 credit hours in length; and three (3) academic years, for those whose minimum credit hours exceeds 36 credit hours, which will meet a reasonable progression to such degree. The Office of Registrar will update all such programs for the University.
The Office of Registrar and the Office of Financial Aid explored reporting enrollment directly to the National Student Loan Data System and while such was initially promising, the Office of Financial Aid determined that such activity would be disruptive to the business practices of the University given the work needed for the Financial Value Transparency and Gainful Employment reporting in which the National Student Loan Clearinghouse (NSLC) has served as an invaluable partner. This option may still be explored further if additional resources become available.
The Office of the Registrar will split the graduation file sent to our third-party servicer, NSLC, so that the students from the College of Business who are on a different calendar may be reported to NSLDS sooner which should assist in reporting those students on an earlier timeframe.
The Office of Registrar will begin rolling grades the week after Add/Drop on a weekly basis of each term to reduce the timeframe for students who have withdrawn from a course to be reported to NSLDS.
The Office of the Registrar will update the grading policy in Ellucian Banner to align any changes in grading policy for students who fail to attend course.
The Office of Financial Aid will work with the Student Registrar to ensure such reporting is accurate by reviewing the set-up of such data points as Enrollment Effective Date, Enrollment Status, Term Begin Date, Term End Date and Award Completion Date.
Implementation: The responsible parties include the Office of Registrar, the Office of Financial Aid along with the staff of Information Technology. Some updates to the status change dates or term end dates have already been recorded. Updates to the program length for Master’s programs will be made by November 2024. Implementation of internal Office of Registrar functions to assist in reporting for changes in grades and enrollment levels should be in place by November 2024. Any change in the processing of the Graduated file from NSLC should be in place by the anticipated date of implementation of February 2025. Full utilization of all changes by close of the Spring 2025 term.
Criteria or specific requirement – Special Tests and Provisions – Enrollment Reporting (34 CFR 690.93(b)(2); 34 CFR 682.610; 34 CFR 685.309). Institutions are required to report enrollment information.
Condition – The University’s processes did not ensure timely and accurate student status reporting to National Student Loan Data System (NSLDS).
Questioned costs – None
Context – Out of the population of 245 students with student attendance changes a sample of 25 students was selected for testing. Our sampling method was not, and was not intended to be, statistically valid. There were 14 attributes tested for each student with at least one status change, which were as follows:
Campus-Level records:
1. OPEID Number
2. Enrollment Effective Date
3. Enrollment Status
4. Certification Date
Program-Level records
5. OPEID
6. CIP Code
7. CIP Year
8. Credential Level
9. Published Program Length Measurement
10. Published Program Length
11. Program Begin Date
12. Program Enrollment Status
13. Program Enrollment Effective Date
Other Records
14. Student changed his or her permanent address.
The University did not report 5 student’s statuses timely, the University reported the incorrect status change date for 12 students, the incorrect program length for Master’s programs was reported for 6 students and 2 students had never been reported.
Effect – The University did not report the status changes timely.
Cause – The University’s processes did not ensure status changes were reported timely and accurately.
Identification as a repeat finding, if applicable – 2023-002 and 2022-001
Recommendation – The University should update their controls to ensure changes in students’ enrollment status are reported in a timely and accurate manner.
Views of responsible officials, reason for recurrence and planned corrective actions - Upon reflection of the term end date and subsequently the status change date, the Office of Registrar updated the term end date to the last date of educationally related activities more widely known as the last date of the final examinations for each relevant term.
Upon consultation with the Office of the Provost and the appropriate Deans of the affected Colleges, the program length for the Master’s programs at the University will be updated to two (2), for those programs between 30 and 36 credit hours in length; and three (3) academic years, for those whose minimum credit hours exceeds 36 credit hours, which will meet a reasonable progression to such degree. The Office of Registrar will update all such programs for the University.
The Office of Registrar and the Office of Financial Aid explored reporting enrollment directly to the National Student Loan Data System and while such was initially promising, the Office of Financial Aid determined that such activity would be disruptive to the business practices of the University given the work needed for the Financial Value Transparency and Gainful Employment reporting in which the National Student Loan Clearinghouse (NSLC) has served as an invaluable partner. This option may still be explored further if additional resources become available.
The Office of the Registrar will split the graduation file sent to our third-party servicer, NSLC, so that the students from the College of Business who are on a different calendar may be reported to NSLDS sooner which should assist in reporting those students on an earlier timeframe.
The Office of Registrar will begin rolling grades the week after Add/Drop on a weekly basis of each term to reduce the timeframe for students who have withdrawn from a course to be reported to NSLDS.
The Office of the Registrar will update the grading policy in Ellucian Banner to align any changes in grading policy for students who fail to attend course.
The Office of Financial Aid will work with the Student Registrar to ensure such reporting is accurate by reviewing the set-up of such data points as Enrollment Effective Date, Enrollment Status, Term Begin Date, Term End Date and Award Completion Date.
Implementation: The responsible parties include the Office of Registrar, the Office of Financial Aid along with the staff of Information Technology. Some updates to the status change dates or term end dates have already been recorded. Updates to the program length for Master’s programs will be made by November 2024. Implementation of internal Office of Registrar functions to assist in reporting for changes in grades and enrollment levels should be in place by November 2024. Any change in the processing of the Graduated file from NSLC should be in place by the anticipated date of implementation of February 2025. Full utilization of all changes by close of the Spring 2025 term.
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bailey Act (16 CFR 314) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bailey Act (GLBA) because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The University must have a written information security program that addresses the required minimum seven elements.
Questioned costs – $0
Context – The University does not have a written information security program that addresses the required elements. The University has designated their Chief Information Officer as the qualified individual responsible for implementing and monitoring their information security program. They have started addressing the additional required elements, including reviewing access controls, implementing multi-factor authentication for students, disposing of student information securely, and performing annual penetration testing, reviewing the log for unauthorized access, implementing multi-factor authentication for staff and faculty with access to student information, implementing policies and procedures to ensure that personnel are able to enact the information security program and encrypting all information, on the institution’s system and when it’s in transit.
Effect – The University did not implement the revised GLBA regulations by the required date.
Cause – The University’s controls did not ensure the revised GLBA regulations were implemented by the required date.
Identification of a repeat finding, if applicable – N/A
Recommendation – The University should complete the written information security program and ensure the additional required GLBA elements are included.
Views of responsible officials and planned corrective accounts – On July 19, 2024, the University of Dallas received a notification from Forvis Mazars concerning several outstanding items from the latest Gramm-Leach-Bliley Act (GLBA) requirements in the compliance audit. The Chief Information Security Officer (CISO), IT security personnel and Chief Information Officer (CIO) compiled the necessary information to provide an accurate status update on the remediation efforts for each item.
See corrective action plan for the current remediation status as of September 5, 2024.
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bailey Act (16 CFR 314) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bailey Act (GLBA) because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The University must have a written information security program that addresses the required minimum seven elements.
Questioned costs – $0
Context – The University does not have a written information security program that addresses the required elements. The University has designated their Chief Information Officer as the qualified individual responsible for implementing and monitoring their information security program. They have started addressing the additional required elements, including reviewing access controls, implementing multi-factor authentication for students, disposing of student information securely, and performing annual penetration testing, reviewing the log for unauthorized access, implementing multi-factor authentication for staff and faculty with access to student information, implementing policies and procedures to ensure that personnel are able to enact the information security program and encrypting all information, on the institution’s system and when it’s in transit.
Effect – The University did not implement the revised GLBA regulations by the required date.
Cause – The University’s controls did not ensure the revised GLBA regulations were implemented by the required date.
Identification of a repeat finding, if applicable – N/A
Recommendation – The University should complete the written information security program and ensure the additional required GLBA elements are included.
Views of responsible officials and planned corrective accounts – On July 19, 2024, the University of Dallas received a notification from Forvis Mazars concerning several outstanding items from the latest Gramm-Leach-Bliley Act (GLBA) requirements in the compliance audit. The Chief Information Security Officer (CISO), IT security personnel and Chief Information Officer (CIO) compiled the necessary information to provide an accurate status update on the remediation efforts for each item.
See corrective action plan for the current remediation status as of September 5, 2024.
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bailey Act (16 CFR 314) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bailey Act (GLBA) because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The University must have a written information security program that addresses the required minimum seven elements.
Questioned costs – $0
Context – The University does not have a written information security program that addresses the required elements. The University has designated their Chief Information Officer as the qualified individual responsible for implementing and monitoring their information security program. They have started addressing the additional required elements, including reviewing access controls, implementing multi-factor authentication for students, disposing of student information securely, and performing annual penetration testing, reviewing the log for unauthorized access, implementing multi-factor authentication for staff and faculty with access to student information, implementing policies and procedures to ensure that personnel are able to enact the information security program and encrypting all information, on the institution’s system and when it’s in transit.
Effect – The University did not implement the revised GLBA regulations by the required date.
Cause – The University’s controls did not ensure the revised GLBA regulations were implemented by the required date.
Identification of a repeat finding, if applicable – N/A
Recommendation – The University should complete the written information security program and ensure the additional required GLBA elements are included.
Views of responsible officials and planned corrective accounts – On July 19, 2024, the University of Dallas received a notification from Forvis Mazars concerning several outstanding items from the latest Gramm-Leach-Bliley Act (GLBA) requirements in the compliance audit. The Chief Information Security Officer (CISO), IT security personnel and Chief Information Officer (CIO) compiled the necessary information to provide an accurate status update on the remediation efforts for each item.
See corrective action plan for the current remediation status as of September 5, 2024.
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bailey Act (16 CFR 314) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bailey Act (GLBA) because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The University must have a written information security program that addresses the required minimum seven elements.
Questioned costs – $0
Context – The University does not have a written information security program that addresses the required elements. The University has designated their Chief Information Officer as the qualified individual responsible for implementing and monitoring their information security program. They have started addressing the additional required elements, including reviewing access controls, implementing multi-factor authentication for students, disposing of student information securely, and performing annual penetration testing, reviewing the log for unauthorized access, implementing multi-factor authentication for staff and faculty with access to student information, implementing policies and procedures to ensure that personnel are able to enact the information security program and encrypting all information, on the institution’s system and when it’s in transit.
Effect – The University did not implement the revised GLBA regulations by the required date.
Cause – The University’s controls did not ensure the revised GLBA regulations were implemented by the required date.
Identification of a repeat finding, if applicable – N/A
Recommendation – The University should complete the written information security program and ensure the additional required GLBA elements are included.
Views of responsible officials and planned corrective accounts – On July 19, 2024, the University of Dallas received a notification from Forvis Mazars concerning several outstanding items from the latest Gramm-Leach-Bliley Act (GLBA) requirements in the compliance audit. The Chief Information Security Officer (CISO), IT security personnel and Chief Information Officer (CIO) compiled the necessary information to provide an accurate status update on the remediation efforts for each item.
See corrective action plan for the current remediation status as of September 5, 2024.
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bailey Act (16 CFR 314) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bailey Act (GLBA) because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The University must have a written information security program that addresses the required minimum seven elements.
Questioned costs – $0
Context – The University does not have a written information security program that addresses the required elements. The University has designated their Chief Information Officer as the qualified individual responsible for implementing and monitoring their information security program. They have started addressing the additional required elements, including reviewing access controls, implementing multi-factor authentication for students, disposing of student information securely, and performing annual penetration testing, reviewing the log for unauthorized access, implementing multi-factor authentication for staff and faculty with access to student information, implementing policies and procedures to ensure that personnel are able to enact the information security program and encrypting all information, on the institution’s system and when it’s in transit.
Effect – The University did not implement the revised GLBA regulations by the required date.
Cause – The University’s controls did not ensure the revised GLBA regulations were implemented by the required date.
Identification of a repeat finding, if applicable – N/A
Recommendation – The University should complete the written information security program and ensure the additional required GLBA elements are included.
Views of responsible officials and planned corrective accounts – On July 19, 2024, the University of Dallas received a notification from Forvis Mazars concerning several outstanding items from the latest Gramm-Leach-Bliley Act (GLBA) requirements in the compliance audit. The Chief Information Security Officer (CISO), IT security personnel and Chief Information Officer (CIO) compiled the necessary information to provide an accurate status update on the remediation efforts for each item.
See corrective action plan for the current remediation status as of September 5, 2024.
Criteria or specific requirement – Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device (34 CFR 668.164(e) and (f).
Condition – The University did not provide a URL for the contract to the Department of Education for publication in the Cash Management Contracts Database.
Questioned Costs - $0
Context – The University entered into an agreement with a servicer to deliver Title IV credit balances in 2017 but did not provide the URL to the Department of Education.
Effect – The University was not in compliance with the requirements noted above.
Cause – The University’s internal controls did not ensure the required information was provided to the Department of Education.
Identification of repeat finding, if applicable – N/A
Views of responsible officials and planned corrective actions – The University has reviewed the requirements in 34 CFR 668.164(e) and (f) and the required information was submitted to the Department of Education on September 13, 2024. It should be noted that the information was available to the student’s on the University’s website at all times required.
Criteria or specific requirement – Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device (34 CFR 668.164(e) and (f).
Condition – The University did not provide a URL for the contract to the Department of Education for publication in the Cash Management Contracts Database.
Questioned Costs - $0
Context – The University entered into an agreement with a servicer to deliver Title IV credit balances in 2017 but did not provide the URL to the Department of Education.
Effect – The University was not in compliance with the requirements noted above.
Cause – The University’s internal controls did not ensure the required information was provided to the Department of Education.
Identification of repeat finding, if applicable – N/A
Views of responsible officials and planned corrective actions – The University has reviewed the requirements in 34 CFR 668.164(e) and (f) and the required information was submitted to the Department of Education on September 13, 2024. It should be noted that the information was available to the student’s on the University’s website at all times required.
Criteria or specific requirement – Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device (34 CFR 668.164(e) and (f).
Condition – The University did not provide a URL for the contract to the Department of Education for publication in the Cash Management Contracts Database.
Questioned Costs - $0
Context – The University entered into an agreement with a servicer to deliver Title IV credit balances in 2017 but did not provide the URL to the Department of Education.
Effect – The University was not in compliance with the requirements noted above.
Cause – The University’s internal controls did not ensure the required information was provided to the Department of Education.
Identification of repeat finding, if applicable – N/A
Views of responsible officials and planned corrective actions – The University has reviewed the requirements in 34 CFR 668.164(e) and (f) and the required information was submitted to the Department of Education on September 13, 2024. It should be noted that the information was available to the student’s on the University’s website at all times required.
Criteria or specific requirement – Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device (34 CFR 668.164(e) and (f).
Condition – The University did not provide a URL for the contract to the Department of Education for publication in the Cash Management Contracts Database.
Questioned Costs - $0
Context – The University entered into an agreement with a servicer to deliver Title IV credit balances in 2017 but did not provide the URL to the Department of Education.
Effect – The University was not in compliance with the requirements noted above.
Cause – The University’s internal controls did not ensure the required information was provided to the Department of Education.
Identification of repeat finding, if applicable – N/A
Views of responsible officials and planned corrective actions – The University has reviewed the requirements in 34 CFR 668.164(e) and (f) and the required information was submitted to the Department of Education on September 13, 2024. It should be noted that the information was available to the student’s on the University’s website at all times required.
Criteria or specific requirement – Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device (34 CFR 668.164(e) and (f).
Condition – The University did not provide a URL for the contract to the Department of Education for publication in the Cash Management Contracts Database.
Questioned Costs - $0
Context – The University entered into an agreement with a servicer to deliver Title IV credit balances in 2017 but did not provide the URL to the Department of Education.
Effect – The University was not in compliance with the requirements noted above.
Cause – The University’s internal controls did not ensure the required information was provided to the Department of Education.
Identification of repeat finding, if applicable – N/A
Views of responsible officials and planned corrective actions – The University has reviewed the requirements in 34 CFR 668.164(e) and (f) and the required information was submitted to the Department of Education on September 13, 2024. It should be noted that the information was available to the student’s on the University’s website at all times required.
Criteria or specific requirement – Special Tests and Provisions – Enrollment Reporting (34 CFR 690.93(b)(2); 34 CFR 682.610; 34 CFR 685.309). Institutions are required to report enrollment information.
Condition – The University’s processes did not ensure timely and accurate student status reporting to National Student Loan Data System (NSLDS).
Questioned costs – None
Context – Out of the population of 245 students with student attendance changes a sample of 25 students was selected for testing. Our sampling method was not, and was not intended to be, statistically valid. There were 14 attributes tested for each student with at least one status change, which were as follows:
Campus-Level records:
1. OPEID Number
2. Enrollment Effective Date
3. Enrollment Status
4. Certification Date
Program-Level records
5. OPEID
6. CIP Code
7. CIP Year
8. Credential Level
9. Published Program Length Measurement
10. Published Program Length
11. Program Begin Date
12. Program Enrollment Status
13. Program Enrollment Effective Date
Other Records
14. Student changed his or her permanent address.
The University did not report 5 student’s statuses timely, the University reported the incorrect status change date for 12 students, the incorrect program length for Master’s programs was reported for 6 students and 2 students had never been reported.
Effect – The University did not report the status changes timely.
Cause – The University’s processes did not ensure status changes were reported timely and accurately.
Identification as a repeat finding, if applicable – 2023-002 and 2022-001
Recommendation – The University should update their controls to ensure changes in students’ enrollment status are reported in a timely and accurate manner.
Views of responsible officials, reason for recurrence and planned corrective actions - Upon reflection of the term end date and subsequently the status change date, the Office of Registrar updated the term end date to the last date of educationally related activities more widely known as the last date of the final examinations for each relevant term.
Upon consultation with the Office of the Provost and the appropriate Deans of the affected Colleges, the program length for the Master’s programs at the University will be updated to two (2), for those programs between 30 and 36 credit hours in length; and three (3) academic years, for those whose minimum credit hours exceeds 36 credit hours, which will meet a reasonable progression to such degree. The Office of Registrar will update all such programs for the University.
The Office of Registrar and the Office of Financial Aid explored reporting enrollment directly to the National Student Loan Data System and while such was initially promising, the Office of Financial Aid determined that such activity would be disruptive to the business practices of the University given the work needed for the Financial Value Transparency and Gainful Employment reporting in which the National Student Loan Clearinghouse (NSLC) has served as an invaluable partner. This option may still be explored further if additional resources become available.
The Office of the Registrar will split the graduation file sent to our third-party servicer, NSLC, so that the students from the College of Business who are on a different calendar may be reported to NSLDS sooner which should assist in reporting those students on an earlier timeframe.
The Office of Registrar will begin rolling grades the week after Add/Drop on a weekly basis of each term to reduce the timeframe for students who have withdrawn from a course to be reported to NSLDS.
The Office of the Registrar will update the grading policy in Ellucian Banner to align any changes in grading policy for students who fail to attend course.
The Office of Financial Aid will work with the Student Registrar to ensure such reporting is accurate by reviewing the set-up of such data points as Enrollment Effective Date, Enrollment Status, Term Begin Date, Term End Date and Award Completion Date.
Implementation: The responsible parties include the Office of Registrar, the Office of Financial Aid along with the staff of Information Technology. Some updates to the status change dates or term end dates have already been recorded. Updates to the program length for Master’s programs will be made by November 2024. Implementation of internal Office of Registrar functions to assist in reporting for changes in grades and enrollment levels should be in place by November 2024. Any change in the processing of the Graduated file from NSLC should be in place by the anticipated date of implementation of February 2025. Full utilization of all changes by close of the Spring 2025 term.
Criteria or specific requirement – Special Tests and Provisions – Enrollment Reporting (34 CFR 690.93(b)(2); 34 CFR 682.610; 34 CFR 685.309). Institutions are required to report enrollment information.
Condition – The University’s processes did not ensure timely and accurate student status reporting to National Student Loan Data System (NSLDS).
Questioned costs – None
Context – Out of the population of 245 students with student attendance changes a sample of 25 students was selected for testing. Our sampling method was not, and was not intended to be, statistically valid. There were 14 attributes tested for each student with at least one status change, which were as follows:
Campus-Level records:
1. OPEID Number
2. Enrollment Effective Date
3. Enrollment Status
4. Certification Date
Program-Level records
5. OPEID
6. CIP Code
7. CIP Year
8. Credential Level
9. Published Program Length Measurement
10. Published Program Length
11. Program Begin Date
12. Program Enrollment Status
13. Program Enrollment Effective Date
Other Records
14. Student changed his or her permanent address.
The University did not report 5 student’s statuses timely, the University reported the incorrect status change date for 12 students, the incorrect program length for Master’s programs was reported for 6 students and 2 students had never been reported.
Effect – The University did not report the status changes timely.
Cause – The University’s processes did not ensure status changes were reported timely and accurately.
Identification as a repeat finding, if applicable – 2023-002 and 2022-001
Recommendation – The University should update their controls to ensure changes in students’ enrollment status are reported in a timely and accurate manner.
Views of responsible officials, reason for recurrence and planned corrective actions - Upon reflection of the term end date and subsequently the status change date, the Office of Registrar updated the term end date to the last date of educationally related activities more widely known as the last date of the final examinations for each relevant term.
Upon consultation with the Office of the Provost and the appropriate Deans of the affected Colleges, the program length for the Master’s programs at the University will be updated to two (2), for those programs between 30 and 36 credit hours in length; and three (3) academic years, for those whose minimum credit hours exceeds 36 credit hours, which will meet a reasonable progression to such degree. The Office of Registrar will update all such programs for the University.
The Office of Registrar and the Office of Financial Aid explored reporting enrollment directly to the National Student Loan Data System and while such was initially promising, the Office of Financial Aid determined that such activity would be disruptive to the business practices of the University given the work needed for the Financial Value Transparency and Gainful Employment reporting in which the National Student Loan Clearinghouse (NSLC) has served as an invaluable partner. This option may still be explored further if additional resources become available.
The Office of the Registrar will split the graduation file sent to our third-party servicer, NSLC, so that the students from the College of Business who are on a different calendar may be reported to NSLDS sooner which should assist in reporting those students on an earlier timeframe.
The Office of Registrar will begin rolling grades the week after Add/Drop on a weekly basis of each term to reduce the timeframe for students who have withdrawn from a course to be reported to NSLDS.
The Office of the Registrar will update the grading policy in Ellucian Banner to align any changes in grading policy for students who fail to attend course.
The Office of Financial Aid will work with the Student Registrar to ensure such reporting is accurate by reviewing the set-up of such data points as Enrollment Effective Date, Enrollment Status, Term Begin Date, Term End Date and Award Completion Date.
Implementation: The responsible parties include the Office of Registrar, the Office of Financial Aid along with the staff of Information Technology. Some updates to the status change dates or term end dates have already been recorded. Updates to the program length for Master’s programs will be made by November 2024. Implementation of internal Office of Registrar functions to assist in reporting for changes in grades and enrollment levels should be in place by November 2024. Any change in the processing of the Graduated file from NSLC should be in place by the anticipated date of implementation of February 2025. Full utilization of all changes by close of the Spring 2025 term.
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bailey Act (16 CFR 314) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bailey Act (GLBA) because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The University must have a written information security program that addresses the required minimum seven elements.
Questioned costs – $0
Context – The University does not have a written information security program that addresses the required elements. The University has designated their Chief Information Officer as the qualified individual responsible for implementing and monitoring their information security program. They have started addressing the additional required elements, including reviewing access controls, implementing multi-factor authentication for students, disposing of student information securely, and performing annual penetration testing, reviewing the log for unauthorized access, implementing multi-factor authentication for staff and faculty with access to student information, implementing policies and procedures to ensure that personnel are able to enact the information security program and encrypting all information, on the institution’s system and when it’s in transit.
Effect – The University did not implement the revised GLBA regulations by the required date.
Cause – The University’s controls did not ensure the revised GLBA regulations were implemented by the required date.
Identification of a repeat finding, if applicable – N/A
Recommendation – The University should complete the written information security program and ensure the additional required GLBA elements are included.
Views of responsible officials and planned corrective accounts – On July 19, 2024, the University of Dallas received a notification from Forvis Mazars concerning several outstanding items from the latest Gramm-Leach-Bliley Act (GLBA) requirements in the compliance audit. The Chief Information Security Officer (CISO), IT security personnel and Chief Information Officer (CIO) compiled the necessary information to provide an accurate status update on the remediation efforts for each item.
See corrective action plan for the current remediation status as of September 5, 2024.
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bailey Act (16 CFR 314) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bailey Act (GLBA) because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The University must have a written information security program that addresses the required minimum seven elements.
Questioned costs – $0
Context – The University does not have a written information security program that addresses the required elements. The University has designated their Chief Information Officer as the qualified individual responsible for implementing and monitoring their information security program. They have started addressing the additional required elements, including reviewing access controls, implementing multi-factor authentication for students, disposing of student information securely, and performing annual penetration testing, reviewing the log for unauthorized access, implementing multi-factor authentication for staff and faculty with access to student information, implementing policies and procedures to ensure that personnel are able to enact the information security program and encrypting all information, on the institution’s system and when it’s in transit.
Effect – The University did not implement the revised GLBA regulations by the required date.
Cause – The University’s controls did not ensure the revised GLBA regulations were implemented by the required date.
Identification of a repeat finding, if applicable – N/A
Recommendation – The University should complete the written information security program and ensure the additional required GLBA elements are included.
Views of responsible officials and planned corrective accounts – On July 19, 2024, the University of Dallas received a notification from Forvis Mazars concerning several outstanding items from the latest Gramm-Leach-Bliley Act (GLBA) requirements in the compliance audit. The Chief Information Security Officer (CISO), IT security personnel and Chief Information Officer (CIO) compiled the necessary information to provide an accurate status update on the remediation efforts for each item.
See corrective action plan for the current remediation status as of September 5, 2024.
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bailey Act (16 CFR 314) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bailey Act (GLBA) because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The University must have a written information security program that addresses the required minimum seven elements.
Questioned costs – $0
Context – The University does not have a written information security program that addresses the required elements. The University has designated their Chief Information Officer as the qualified individual responsible for implementing and monitoring their information security program. They have started addressing the additional required elements, including reviewing access controls, implementing multi-factor authentication for students, disposing of student information securely, and performing annual penetration testing, reviewing the log for unauthorized access, implementing multi-factor authentication for staff and faculty with access to student information, implementing policies and procedures to ensure that personnel are able to enact the information security program and encrypting all information, on the institution’s system and when it’s in transit.
Effect – The University did not implement the revised GLBA regulations by the required date.
Cause – The University’s controls did not ensure the revised GLBA regulations were implemented by the required date.
Identification of a repeat finding, if applicable – N/A
Recommendation – The University should complete the written information security program and ensure the additional required GLBA elements are included.
Views of responsible officials and planned corrective accounts – On July 19, 2024, the University of Dallas received a notification from Forvis Mazars concerning several outstanding items from the latest Gramm-Leach-Bliley Act (GLBA) requirements in the compliance audit. The Chief Information Security Officer (CISO), IT security personnel and Chief Information Officer (CIO) compiled the necessary information to provide an accurate status update on the remediation efforts for each item.
See corrective action plan for the current remediation status as of September 5, 2024.
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bailey Act (16 CFR 314) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bailey Act (GLBA) because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The University must have a written information security program that addresses the required minimum seven elements.
Questioned costs – $0
Context – The University does not have a written information security program that addresses the required elements. The University has designated their Chief Information Officer as the qualified individual responsible for implementing and monitoring their information security program. They have started addressing the additional required elements, including reviewing access controls, implementing multi-factor authentication for students, disposing of student information securely, and performing annual penetration testing, reviewing the log for unauthorized access, implementing multi-factor authentication for staff and faculty with access to student information, implementing policies and procedures to ensure that personnel are able to enact the information security program and encrypting all information, on the institution’s system and when it’s in transit.
Effect – The University did not implement the revised GLBA regulations by the required date.
Cause – The University’s controls did not ensure the revised GLBA regulations were implemented by the required date.
Identification of a repeat finding, if applicable – N/A
Recommendation – The University should complete the written information security program and ensure the additional required GLBA elements are included.
Views of responsible officials and planned corrective accounts – On July 19, 2024, the University of Dallas received a notification from Forvis Mazars concerning several outstanding items from the latest Gramm-Leach-Bliley Act (GLBA) requirements in the compliance audit. The Chief Information Security Officer (CISO), IT security personnel and Chief Information Officer (CIO) compiled the necessary information to provide an accurate status update on the remediation efforts for each item.
See corrective action plan for the current remediation status as of September 5, 2024.
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bailey Act (16 CFR 314) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bailey Act (GLBA) because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The University must have a written information security program that addresses the required minimum seven elements.
Questioned costs – $0
Context – The University does not have a written information security program that addresses the required elements. The University has designated their Chief Information Officer as the qualified individual responsible for implementing and monitoring their information security program. They have started addressing the additional required elements, including reviewing access controls, implementing multi-factor authentication for students, disposing of student information securely, and performing annual penetration testing, reviewing the log for unauthorized access, implementing multi-factor authentication for staff and faculty with access to student information, implementing policies and procedures to ensure that personnel are able to enact the information security program and encrypting all information, on the institution’s system and when it’s in transit.
Effect – The University did not implement the revised GLBA regulations by the required date.
Cause – The University’s controls did not ensure the revised GLBA regulations were implemented by the required date.
Identification of a repeat finding, if applicable – N/A
Recommendation – The University should complete the written information security program and ensure the additional required GLBA elements are included.
Views of responsible officials and planned corrective accounts – On July 19, 2024, the University of Dallas received a notification from Forvis Mazars concerning several outstanding items from the latest Gramm-Leach-Bliley Act (GLBA) requirements in the compliance audit. The Chief Information Security Officer (CISO), IT security personnel and Chief Information Officer (CIO) compiled the necessary information to provide an accurate status update on the remediation efforts for each item.
See corrective action plan for the current remediation status as of September 5, 2024.
Criteria or specific requirement – Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device (34 CFR 668.164(e) and (f).
Condition – The University did not provide a URL for the contract to the Department of Education for publication in the Cash Management Contracts Database.
Questioned Costs - $0
Context – The University entered into an agreement with a servicer to deliver Title IV credit balances in 2017 but did not provide the URL to the Department of Education.
Effect – The University was not in compliance with the requirements noted above.
Cause – The University’s internal controls did not ensure the required information was provided to the Department of Education.
Identification of repeat finding, if applicable – N/A
Views of responsible officials and planned corrective actions – The University has reviewed the requirements in 34 CFR 668.164(e) and (f) and the required information was submitted to the Department of Education on September 13, 2024. It should be noted that the information was available to the student’s on the University’s website at all times required.
Criteria or specific requirement – Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device (34 CFR 668.164(e) and (f).
Condition – The University did not provide a URL for the contract to the Department of Education for publication in the Cash Management Contracts Database.
Questioned Costs - $0
Context – The University entered into an agreement with a servicer to deliver Title IV credit balances in 2017 but did not provide the URL to the Department of Education.
Effect – The University was not in compliance with the requirements noted above.
Cause – The University’s internal controls did not ensure the required information was provided to the Department of Education.
Identification of repeat finding, if applicable – N/A
Views of responsible officials and planned corrective actions – The University has reviewed the requirements in 34 CFR 668.164(e) and (f) and the required information was submitted to the Department of Education on September 13, 2024. It should be noted that the information was available to the student’s on the University’s website at all times required.
Criteria or specific requirement – Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device (34 CFR 668.164(e) and (f).
Condition – The University did not provide a URL for the contract to the Department of Education for publication in the Cash Management Contracts Database.
Questioned Costs - $0
Context – The University entered into an agreement with a servicer to deliver Title IV credit balances in 2017 but did not provide the URL to the Department of Education.
Effect – The University was not in compliance with the requirements noted above.
Cause – The University’s internal controls did not ensure the required information was provided to the Department of Education.
Identification of repeat finding, if applicable – N/A
Views of responsible officials and planned corrective actions – The University has reviewed the requirements in 34 CFR 668.164(e) and (f) and the required information was submitted to the Department of Education on September 13, 2024. It should be noted that the information was available to the student’s on the University’s website at all times required.
Criteria or specific requirement – Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device (34 CFR 668.164(e) and (f).
Condition – The University did not provide a URL for the contract to the Department of Education for publication in the Cash Management Contracts Database.
Questioned Costs - $0
Context – The University entered into an agreement with a servicer to deliver Title IV credit balances in 2017 but did not provide the URL to the Department of Education.
Effect – The University was not in compliance with the requirements noted above.
Cause – The University’s internal controls did not ensure the required information was provided to the Department of Education.
Identification of repeat finding, if applicable – N/A
Views of responsible officials and planned corrective actions – The University has reviewed the requirements in 34 CFR 668.164(e) and (f) and the required information was submitted to the Department of Education on September 13, 2024. It should be noted that the information was available to the student’s on the University’s website at all times required.
Criteria or specific requirement – Special Tests and Provisions – Using a Servicer or Financial Institution to Deliver Title IV Credit Balances to a Card or Other Access Device (34 CFR 668.164(e) and (f).
Condition – The University did not provide a URL for the contract to the Department of Education for publication in the Cash Management Contracts Database.
Questioned Costs - $0
Context – The University entered into an agreement with a servicer to deliver Title IV credit balances in 2017 but did not provide the URL to the Department of Education.
Effect – The University was not in compliance with the requirements noted above.
Cause – The University’s internal controls did not ensure the required information was provided to the Department of Education.
Identification of repeat finding, if applicable – N/A
Views of responsible officials and planned corrective actions – The University has reviewed the requirements in 34 CFR 668.164(e) and (f) and the required information was submitted to the Department of Education on September 13, 2024. It should be noted that the information was available to the student’s on the University’s website at all times required.