FAC Explorer

Audit 329119

FY End
2024-06-30
Total Expended
$9.49M
Findings
32
Programs
9
Organization: Cornell College (IA)
Year: 2024 Accepted: 2024-11-20
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
509321 2024-001 Significant Deficiency - N
509322 2024-001 Significant Deficiency - N
509323 2024-001 Significant Deficiency - N
509324 2024-001 Significant Deficiency - N
509325 2024-001 Significant Deficiency - N
509326 2024-001 Significant Deficiency - N
509327 2024-001 Significant Deficiency - N
509328 2024-001 Significant Deficiency - N
509329 2024-002 Significant Deficiency - N
509330 2024-002 Significant Deficiency - N
509331 2024-002 Significant Deficiency - N
509332 2024-002 Significant Deficiency - N
509333 2024-002 Significant Deficiency - N
509334 2024-002 Significant Deficiency - N
509335 2024-002 Significant Deficiency - N
509336 2024-002 Significant Deficiency - N
1085763 2024-001 Significant Deficiency - N
1085764 2024-001 Significant Deficiency - N
1085765 2024-001 Significant Deficiency - N
1085766 2024-001 Significant Deficiency - N
1085767 2024-001 Significant Deficiency - N
1085768 2024-001 Significant Deficiency - N
1085769 2024-001 Significant Deficiency - N
1085770 2024-001 Significant Deficiency - N
1085771 2024-002 Significant Deficiency - N
1085772 2024-002 Significant Deficiency - N
1085773 2024-002 Significant Deficiency - N
1085774 2024-002 Significant Deficiency - N
1085775 2024-002 Significant Deficiency - N
1085776 2024-002 Significant Deficiency - N
1085777 2024-002 Significant Deficiency - N
1085778 2024-002 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.063 Federal Pell Grant Program $1.90M Yes 2
84.268 Federal Direct Student Loans $1.70M Yes 2
84.033 Federal Work-Study Program $342,616 Yes 2
97.044 Assistance to Firefighters Grant $269,495 - 0
21.029 Coronavirus Capital Projects Fund $171,471 - 0
84.007 Federal Supplemental Educational Opportunity Grants $170,880 Yes 2
84.038 Federal Perkins Loan Program $138,145 Yes 2
47.050 Geosciences $33,419 - 0
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $3,772 Yes 2

Contacts

Name Title Type
ET4AQ6MDU1L7 Kelly Flege Auditee
3198954342 Daniel Persaud Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. During the year ended June 30, 2024, the College did not pass any funds through to subrecipients. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of the College under programs of the federal government for the year ended June 30, 2024. The information in this Schedule is presented in accordance with the requirements of 2 CFR Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, it is not intended to, and does not, present the financial position, changes in net assets, or cash flows of the College.
Title: PERKINS LOAN PROGRAM Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. During the year ended June 30, 2024, the College did not pass any funds through to subrecipients. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. Outstanding balance of Perkins loans administered by Cornell College at June 30, 2024 and loans advanced during the year were as follows: Federal Perkins Loan Program (CFDA #84.038) Loan Balance: $111,047 Loans Advanced: $-
Title: STUDENT FINANCIAL AID INSTITUTIONAL AND PROGRAM ELIGIBILITY METRICS Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. During the year ended June 30, 2024, the College did not pass any funds through to subrecipients. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The College is in compliance with the following institutional and program eligibility requirements under the Higher Education Act of 1965 and Federal regulations under 34 CFR 668.23: * Correspondence courses the institution offers under 34 CFR 600.7(b) and (g) * Regular students that enroll in correspondence courses under 34 CFR 600.7(b) and (g) * Institution’s regular students that are incarcerated under 34 CFR 600.7(c) and (g) * Completion rates for confined or incarcerated individuals enrolled in non-degree programs at nonprofit institutions under 34 CFR 600.7(c)(3)(ii) and (g) * Institution’s regular students that lack a high school diploma or its equivalent under 34 CFR 600.7(d) and (g) * Completion rates for short-term programs under 34 CFR 668.8(f) and (g) * Placement rates for short-term programs under https://www.ecfr.gov/current/title-34/subtitle-B/chapter-VI/part-668/subpart-A/section-668.8 34 CFR 668.8(e)(2)

Finding Details

Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Code of Federal Regulations, 34 CFR 668.25(e) states that an institution must notify the Department of Education by way of the ECAR within 10 days of a change in position of an official at the College. Condition: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Questioned costs: None Context: During our testing, we noted that the change in Director of Financial Aid was not reported timely to the Department of Education. Cause: Based on discussion with management, they attempted to make the update. However, there were issues with the Department of Education’s website. Effect: The College is not in compliance with Department of Education requirements that state the ECAR must have accurately reported information. Repeat Finding: No Recommendation: We recommend the College review its reporting procedures surrounding updating the ECAR to ensure reporting is accurate and completed timely. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 through June 30, 2024 Type of Finding: * Significant Deficiency in Internal Control Over Compliance * Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a College’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not have documented in its Written Information Security Program the need for period reviews of user access controls or an adopted change management policy. In addition, there was no evidence that the Written Information Security Program was evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: There was turnover with the information technology department at the College and as such certain items were missed as it relates to the GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review each element of GLBA to ensure compliance with all necessary requirements. Views of responsible officials: There is no disagreement with the audit finding.