FAC Explorer

Audit 332923

FY End
2024-06-30
Total Expended
$11.26M
Findings
24
Programs
5
Organization: University of Northwestern - St. Paul and Subsidiaries (MN)
Year: 2024 Accepted: 2024-12-17
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
514577 2024-001 Significant Deficiency - N
514578 2024-001 Significant Deficiency - N
514579 2024-001 Significant Deficiency - N
514580 2024-001 Significant Deficiency - N
514581 2024-001 Significant Deficiency - N
514582 2024-001 Significant Deficiency - N
514583 2024-002 Significant Deficiency - N
514584 2024-002 Significant Deficiency - N
514585 2024-002 Significant Deficiency - N
514586 2024-002 Significant Deficiency - N
514587 2024-002 Significant Deficiency - N
514588 2024-002 Significant Deficiency - N
1091019 2024-001 Significant Deficiency - N
1091020 2024-001 Significant Deficiency - N
1091021 2024-001 Significant Deficiency - N
1091022 2024-001 Significant Deficiency - N
1091023 2024-001 Significant Deficiency - N
1091024 2024-001 Significant Deficiency - N
1091025 2024-002 Significant Deficiency - N
1091026 2024-002 Significant Deficiency - N
1091027 2024-002 Significant Deficiency - N
1091028 2024-002 Significant Deficiency - N
1091029 2024-002 Significant Deficiency - N
1091030 2024-002 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.063 Federal Pell Grant Program $2.55M Yes 2
84.268 Federal Direct Student Loans $1.42M Yes 2
84.038 Federal Perkins Loans-Beginning Balance $754,803 Yes 2
84.033 Federal Work-Study Program $172,048 Yes 2
84.007 Federal Supplemental Educational Opportunity Grants $113,927 Yes 2

Contacts

Name Title Type
FLVCWFZ2KGS5 John M. Sommerville Auditee
6516315100 Liz Cook Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. During the year ended June 30, 2024, the University did not pass any funds through to subrecipients. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of the University under programs of the federal government for the year ended June 30, 2024. The information in this Schedule is presented in accordance with the requirements of 2 CFR Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the University, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the University.
Title: Perkins Loan Programs Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. During the year ended June 30, 2024, the University did not pass any funds through to subrecipients. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10-percent de minimis indirect cost rate allowed under the Uniform Guidance. The University administers the following federal loan programs: Outstanding Balance at ALN June 30, 2024 Federal Perkins Loan Program 84.038 $ 542,094

Finding Details

Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP). The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP: 􀁸 Implement and periodically review access controls 􀁸 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted 􀁸 Encrypt customer information on the institution’s system and when it’s in transit 􀁸 Dispose of customer information securely In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Questioned Costs: N/A Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP. Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements. Effect: The student personal information could be vulnerable. Repeat Finding: No Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Assistance Cluster Assistance Listing Number: Various Award Period: July 1, 2023 to June 30, 2024 Type of Finding: 􀁸 Significant Deficiency in Internal Control over Compliance 􀁸 Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Regulations require the status include an accurate effective date. Condition: During our testing, we noted for 3 out of the 40 students, the enrollment effective date per NSLDS did not match the University’s records. Questioned Costs: N/A Context: Two of the students were graduated and specifically involved in student teaching and one individual was a withdrawal in between fall and spring term. Cause: The University’s current process in place did not ensure all students were reported accurately. Effect: The University did not comply with Department of Education (ED) regulations by reporting student enrollment status changes accurately. Repeat Finding: No Auditor’s Recommendation: We recommend the University review its reporting procedures to ensure that students’ statuses are accurately reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.