FAC Explorer

Audit 329370

FY End
2024-05-31
Total Expended
$21.10M
Findings
16
Programs
7
Organization: University of Dubuque (IA)
Year: 2024 Accepted: 2024-11-21
Auditor: Rsm US LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
509708 2024-001 Significant Deficiency Yes N
509709 2024-002 Significant Deficiency - N
509710 2024-003 Significant Deficiency - N
509711 2024-003 Significant Deficiency - N
509712 2024-003 Significant Deficiency - N
509713 2024-003 Significant Deficiency - N
509714 2024-003 Significant Deficiency - N
509715 2024-003 Significant Deficiency - N
1086150 2024-001 Significant Deficiency Yes N
1086151 2024-002 Significant Deficiency - N
1086152 2024-003 Significant Deficiency - N
1086153 2024-003 Significant Deficiency - N
1086154 2024-003 Significant Deficiency - N
1086155 2024-003 Significant Deficiency - N
1086156 2024-003 Significant Deficiency - N
1086157 2024-003 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $14.84M Yes 3
84.063 Federal Pell Grant Program $3.09M Yes 1
84.038 Federal Perkins Loan Program $2.51M Yes 1
84.042 Trio Student Support Services $263,491 Yes 0
84.007 Federal Supplemental Educational Opportunity Grants $177,288 Yes 1
84.033 Federal Work-Study Program $172,965 Yes 1
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $41,015 Yes 1

Contacts

Name Title Type
W2P9JX5RHMV5 Jamer Steiner Auditee
5635893210 Anna Kyer Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. The University has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal grant activity of the University of Dubuque (the University) under programs of the federal government for the year ended May 31, 2024. The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the schedule presents only a selected portion of the operations of the University, it is not intended and does not present the financial position, changes in net assets or cash flows of the University.
Title: Summary of Significant Accounting Policies Accounting Policies: Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. The University has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. The University has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance.
Title: Federal Student Loan Program Accounting Policies: Expenditures reported on the schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. The University has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. The Federal Perkins Loan Program of the University had $1,500,518 of federal loan program receivables from participating students as of May 31, 2024. There was no federal capital contribution during the current year. The University did not contribute any institutional funds during the current year. During the fiscal year ended May 31, 2024, the University issued new loans to students under the Federal Direct Student Loan Program (FDLP). The loan program includes subsidized and unsubsidized Stafford Loans, Parent PLUS Loans and PLUS Loans for graduate and professional students. The value of loans issued for the FDLP is based on disbursed amounts. The loan amounts issued during the year are disclosed on the Schedule. The University is responsible only for the performance of certain administrative duties with respect to the federally guaranteed student loan programs and, accordingly, balances and transactions relating to these loan programs are not included in the University’s basic financial statements. Therefore, it is not practicable to determine the balance of loans outstanding made to students and former students of the University at May 31, 2024.

Finding Details

Finding 2024-001
U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Finding: The University did not timely or accurately report enrollment changes to the National Student Loan Data System (NSLDS). Criteria: Per 34 CFR 685.309(b), a school shall - (1) Upon receipt of an enrollment report from the Secretary, update all information included in the report and return the report to the Secretary in the manner and format prescribed by the Secretary; and within the timeframe prescribed by the Secretary; and (2) Unless it expects to submit its next student updated enrollment report to the Secretary within the next 60 days, a school must notify the Secretary within 30 days if it discovers that a loan under Title IV of the Act was made to, or on behalf of, a student who was enrolled on at least a half-time basis or failed to enroll on at least a half-time basis for the period for which the loan was intended. Per 34 CFR 668.22(c)(ii), the withdrawal date is the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw. Uniform Grant Guidance (2 CFR 200.303) requires nonfederal entities receiving Federal awards establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations and program compliance requirements. Effective internal controls should include procedures to ensure enrollment reporting is completed properly. Condition: 12 students were not reported as withdrawn within the 60 day timeframe for University’s reporting on the roster file submissions and the internal controls in place did not identify the errors. Cause: Student reporting was not within the 60 day roster submission timeframe. Effect: Noncompliance with federal regulations for enrollment reporting. Questioned costs: None. Context: 12 of the 25 students selected haphazardly and tested were not reported in accordance with NSLDS enrollment reporting and were within a range of five to six days late. Repeat finding: Yes. Recommendation: The University should accurately report all student status changes to the NSLDS. In addition, the University should review its policies and procedures to ensure withdrawal dates are accurately reflected in the enrollment management system and enrollment changes are reported timely. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-002
U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Finding: The University’s R2T4 calculation was improper for one student, as the student had not signed a promissory note for the direct loans and the direct loans should have not been included in the calculation. Criteria: Per 34 CFR 668.164, Any undisbursed Title IV aid for the period that the school uses as the basis for the R2T4 calculation is counted as aid that could have been disbursed as long as the following conditions were met before the date the student became ineligible: For all programs, the Department processed a Student Aid Report (SAR) or Institutional Student Information Record (ISIR) with an official expected family contribution (EFC) for the student. (An official EFC is one calculated by the Department and provided on a SAR or ISIR. It may or may not be a valid EFC, which is one based on complete and correct information.) In all Title IV loan programs, a promissory note must be signed for a loan to be included as aid that could have been disbursed in an R2T4 calculation. The signature may be obtained after the student withdraws but must be signed before the school performs the R2T4 calculation. In addition, if a school has an affirmative confirmation process set up to actively determine if a student wants a Direct Loan, if the student declines or fails to respond to the request, the Direct Loan would not be included as aid that could have been disbursed. Uniform Grant Guidance (2 CFR 200.303) requires nonfederal entities receiving Federal awards establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations and program compliance requirements. Effective internal controls should include procedures to ensure enrollment reporting is completed properly. Condition: One student did not sign a promissory note for direct loans that were included in the R2T4 calculation; therefore, the University’s R2T4 calculation was improperly calculated and the internal controls in place did not identify the errors. Cause: Student did not sign a promissory note for direct loans. Effect: Noncompliance with federal regulations for R2T4 Questioned costs: Amount refunded was underpaid by $79. Context: One of the eight students selected randomly and tested did not sign a promissory note for direct loans that were included in the R2T4 calculation; therefore, the University’s R2T4 calculation was improperly calculated. Repeat finding: This is not a repeat finding. Recommendation: The University should review the controls and procedures in place to verify that only aid with signed promissory notes are being included in R2T4 calculations. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001
U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Finding: The University did not timely or accurately report enrollment changes to the National Student Loan Data System (NSLDS). Criteria: Per 34 CFR 685.309(b), a school shall - (1) Upon receipt of an enrollment report from the Secretary, update all information included in the report and return the report to the Secretary in the manner and format prescribed by the Secretary; and within the timeframe prescribed by the Secretary; and (2) Unless it expects to submit its next student updated enrollment report to the Secretary within the next 60 days, a school must notify the Secretary within 30 days if it discovers that a loan under Title IV of the Act was made to, or on behalf of, a student who was enrolled on at least a half-time basis or failed to enroll on at least a half-time basis for the period for which the loan was intended. Per 34 CFR 668.22(c)(ii), the withdrawal date is the date, as determined by the institution, that the student otherwise provided official notification to the institution, in writing or orally, of his or her intent to withdraw. Uniform Grant Guidance (2 CFR 200.303) requires nonfederal entities receiving Federal awards establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations and program compliance requirements. Effective internal controls should include procedures to ensure enrollment reporting is completed properly. Condition: 12 students were not reported as withdrawn within the 60 day timeframe for University’s reporting on the roster file submissions and the internal controls in place did not identify the errors. Cause: Student reporting was not within the 60 day roster submission timeframe. Effect: Noncompliance with federal regulations for enrollment reporting. Questioned costs: None. Context: 12 of the 25 students selected haphazardly and tested were not reported in accordance with NSLDS enrollment reporting and were within a range of five to six days late. Repeat finding: Yes. Recommendation: The University should accurately report all student status changes to the NSLDS. In addition, the University should review its policies and procedures to ensure withdrawal dates are accurately reflected in the enrollment management system and enrollment changes are reported timely. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-002
U.S. Department of Education Student Financial Assistance Programs Cluster (Direct) Federal Direct Loan Program (84.268) Federal Award Year: 2023-2024 Finding: The University’s R2T4 calculation was improper for one student, as the student had not signed a promissory note for the direct loans and the direct loans should have not been included in the calculation. Criteria: Per 34 CFR 668.164, Any undisbursed Title IV aid for the period that the school uses as the basis for the R2T4 calculation is counted as aid that could have been disbursed as long as the following conditions were met before the date the student became ineligible: For all programs, the Department processed a Student Aid Report (SAR) or Institutional Student Information Record (ISIR) with an official expected family contribution (EFC) for the student. (An official EFC is one calculated by the Department and provided on a SAR or ISIR. It may or may not be a valid EFC, which is one based on complete and correct information.) In all Title IV loan programs, a promissory note must be signed for a loan to be included as aid that could have been disbursed in an R2T4 calculation. The signature may be obtained after the student withdraws but must be signed before the school performs the R2T4 calculation. In addition, if a school has an affirmative confirmation process set up to actively determine if a student wants a Direct Loan, if the student declines or fails to respond to the request, the Direct Loan would not be included as aid that could have been disbursed. Uniform Grant Guidance (2 CFR 200.303) requires nonfederal entities receiving Federal awards establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations and program compliance requirements. Effective internal controls should include procedures to ensure enrollment reporting is completed properly. Condition: One student did not sign a promissory note for direct loans that were included in the R2T4 calculation; therefore, the University’s R2T4 calculation was improperly calculated and the internal controls in place did not identify the errors. Cause: Student did not sign a promissory note for direct loans. Effect: Noncompliance with federal regulations for R2T4 Questioned costs: Amount refunded was underpaid by $79. Context: One of the eight students selected randomly and tested did not sign a promissory note for direct loans that were included in the R2T4 calculation; therefore, the University’s R2T4 calculation was improperly calculated. Repeat finding: This is not a repeat finding. Recommendation: The University should review the controls and procedures in place to verify that only aid with signed promissory notes are being included in R2T4 calculations. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003
U.S. Department of Education Student Financial Assistance Programs Cluster Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038, 84.063, 84.378) Federal Award Year: 2023-2024 Finding: The University created and implemented a comprehensive information security policy, but did not have it done in a timely manner. Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission. The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. Condition: The institution’s written information security program was not done in a timely manner to include the following elements required by regulation as agreed to in the PPA: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption. The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response. The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment. The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program. The institution has not developed policies and procedures to oversee information service providers. Cause: The institution did not create and implement a comprehensive information security policy in a timely manner. Effect: The institution did not create and implement a comprehensive information security policy in a timely manner. The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of student account information. Questioned costs: None. Context: Under an institution’s PPA with the U.S. Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Repeat finding: This is not a repeat finding. Recommendation: We recommend that the University completes these requirements in a timely manner in the future. Views of responsible officials: Management agrees with this finding. See corrective action plan.