FAC Explorer

Audit 335890

FY End
2024-06-30
Total Expended
$7.03M
Findings
12
Programs
5
Organization: Johnson University (TN)
Year: 2024 Accepted: 2025-01-06
Auditor: Blackburn Childers & Steagall Plc

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
517765 2024-002 Significant Deficiency - N
517766 2024-001 Significant Deficiency Yes N
517767 2024-002 Significant Deficiency - N
517768 2024-003 Significant Deficiency - N
517769 2024-004 Significant Deficiency Yes N
517770 2024-004 Significant Deficiency Yes N
1094207 2024-002 Significant Deficiency - N
1094208 2024-001 Significant Deficiency Yes N
1094209 2024-002 Significant Deficiency - N
1094210 2024-003 Significant Deficiency - N
1094211 2024-004 Significant Deficiency Yes N
1094212 2024-004 Significant Deficiency Yes N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $4.87M Yes 4
84.063 Federal Pell Grant Program $1.76M Yes 1
84.033 Federal Work-Study Program $168,019 Yes 0
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $154,181 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $73,540 Yes 0

Contacts

Name Title Type
SBRWLVZNE847 Cindy Barnard Auditee
8652512337 Chad Kisner Auditor
No contacts on file

Notes to SEFA

Title: Note 1 - Basis of Presentation Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: Johnson University has elected not to use the 10 percent De Minimis indirect cost rate allowed under the Uniform Guidance. The schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Johnson University under programs of the federal government for the year ended June 30, 2024. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of Johnson University, it is not intended to, and does not present, the financial position, changes in net assets or cash flows of Johnson University.

Finding Details

Finding 2024-002
2024-002 Significant Deficiency: Return to Title IV Funds (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; Federal Pell Grant Program, ALN #84.063) Criteria: In accordance with 34 CFR 668.22(f), in the calculation of the percentage of payment period and/or period of enrollment completed, the total number of calendar days in a payment and/or enrollment period includes all days within the period, except that institutionally scheduled breaks of at least 5 consecutive calendar days and days in which the student was on an approved leave of absence are excluded from the total number of calendar days in a payment period and/or period of enrollment. Statement of Condition: During the audit, it was noted that the University used the incorrect number of completed days in the payment period or period of enrollment in calculating the percentage of the Title IV aid earned. Questioned Costs: This finding is monetary in nature. In the instances noted in testing, the total error identified is $1,992 in over-award. Extrapolation of this monetary error was not necessary as the 5 withdrawal students tested as part of the 2024 audit constitute the entire withdrawal population for the period under audit. This does not exceed the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 5 withdrawal student files, of which this significant deficiency applies to 1, indicating an error rate of 20.0%. This does exceed the reporting threshold of 10% for Federal Award Programs. Cause and Effect: For one withdrawal calculation performed, the day count for days completed by the student was not performed per the instructions described in the Student Financial Aid Handbook. The student identified was enrolled in multiple modules within the same term. The individual withdrew from all classes enrolled in the earlier module, returned at the start of the second module, and then withdrew from the latter module and therefore, the University. At this time, an R2T4 was completed and in calculating completed days for the student, the University did not reduce the calculation of calendar days completed for the break between the withdrawal from the first module and the beginning of the second module. The use of an incorrect number of completed calendar days results in a miscalculation of percentage of Title IV aid earned and may additionally result in monetary error. Recommendation: The University should ensure that the number of completed days in the payment period or period of enrollment are counted correctly utilizing the guidance provided by the Compliance Supplement and the Student Financial Aid Handbook. View of Responsible Officials: The University has determined that this matter constitutes a unique training situation involving the application of procedures related to the Return of Title IV funds. In particular, the University recognizes the need for enhanced training concerning the accurate counting of days when a student withdraws, provides written notification of their intent to attend a future module within the same term, and subsequently withdraws from that second module. The error in question arose from the miscalculation of days, where the University inadvertently counted all days in the initial module rather than counting only the days leading up to the student's initial withdrawal prior to the final withdrawal from the second module. This oversight was attributed to an individual employee, and the University has proactively implemented comprehensive training and procedural safeguards to prevent similar occurrences in the future.
Finding 2024-001
2024-001 Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-001) Criteria: In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4. Statement of Condition: During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. An updated policy was put into place in July 2024, which addressed several of the deficiencies noted in the existing policy, but not all. The seven required elements for the GLBA policy are as follows, along with the status within each of the University’s policies in place during the year: 1. The policy designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. Both the existing policy and the newly implemented sufficiently address this attribute. Luke Edwards, IT director, and Tim Fisher, IT Systems Analyst, work together to oversee the information security program and implementation of additional facets. 2. The policy provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Additional risk assessments are planned to be performed every 2 years to reexamine reasonably foreseeable risks and to account for changes in cybersecurity controls. The next risk assessment shall be completed by December 31, 2025. 3. The policy provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), which are detailed as follows: 3.1. Implement and periodically review access controls. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, instituting a continuous monitoring process undertaken at periodic intervals. The University has contracted with a new software to assist with this, which is expected to be live by December 31, 2024. 3.2. Conduct a periodic inventory of data, noting where it is collected, stored or transmitted. Both the existing policy and the newly implemented policy are silent on this requirement. Resolution to this matter is expected to be addressed and incorporated into the policy by December 31, 2024. 3.3. Encrypt customer information on the institution’s system and when it is in transit. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. The University has had encryption in transit for several years but has not had encryption at rest. In October 2023, the University purchased licenses to enable encryption at rest and most virtual machines containing sensitive data were fully encrypted by April 30, 2024. The remaining virtual machines are planned to be encrypted by December 31, 2024. 3.4. Assess applications developed by the institution. Both the existing policy and the newly implemented policy are silent on this requirement. However, the University does not develop in-house applications for transmitting, accessing, or storing customer information. 3.5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. Both the existing policy and the newly implemented policy are silent on this requirement. However, the University utilizes multi-factor authentication on all connections to the server where student information system is accessed, as well as administrative and financial applications. 3.6. Dispose of customer information securely. Both the existing policy and the newly implemented policy are silent on this requirement. Evaluation of organizational data retention policies for effectiveness is ongoing and expected to be completed by December 31, 2024. Future evaluations for the effectiveness of data retention policies will take place every other year in a joint venture with the Finance and IT Departments. 3.7. Anticipate and evaluate changes to the information system or network. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. Official policies should be in place by December 31, 2024. 3.8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Both the existing policy and the newly implemented policy are silent on this requirement. Office 365 user logging has been in place; sign-ins to on-premises resources was implemented in March 2024. IT has processes in place for addressing suspicious activity. 4. The policy provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. 5. The policy provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. Both the existing policy and the newly implemented sufficiently address this attribute. Software has been purchased and implemented for continuous monitoring of vulnerabilities within organizational software. 6. The policy addresses how the institution will oversee its information system service providers. This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Collection of SOC2 security reports from vendors that have access to systems with student information is in progress. The collection and analysis of these reports is expected to be completed by December 31, 2024. Review of these reports is planned to be conducted annually, with requests for updated security reports every 3 years. 7. The policy provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Both the existing policy and the newly implemented sufficiently address this attribute. Status reports regarding facets of the information security policy are provided to senior leadership team members and to the board at least annually at their regularly scheduled meetings. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The 2024 audit included testing of the University’s Gramm-Leach-Bliley Act Policy as outlined in Part 5 of the Compliance Supplement including the application of this program for the year. Cause and Effect: During the current year, the responsible parties began putting procedures into place and drafted an updated policy to ensure deficiencies in the information security policy are addressed. As this process requires the coordination of multiple individuals, software systems, and approvals, the updates were unable to be completed by June 30, 2024. Recommendation: The University should continue to update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively and timely. View of Responsible Officials: The Johnson University IT Department has consistently worked to improve compliance with GLBA regulations since July 2023. The leadership of Johnson University has taken a proactive and measured approach to GLBA compliance that ensures a balance between reaching compliance quickly and reaching compliance with long-term strategic planning. This has led to a GLBA implementation that will take 2 or more years but will set up the university for long-term excellence in compliance and security. The University understands the importance of GLBA requirements and is committed to ensuring student data is protected from all foreseeable threats. It will continue to iterate on its GLBA corrective action plan to ensure proper compliance for long-term security.
Finding 2024-002
2024-002 Significant Deficiency: Return to Title IV Funds (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; Federal Pell Grant Program, ALN #84.063) Criteria: In accordance with 34 CFR 668.22(f), in the calculation of the percentage of payment period and/or period of enrollment completed, the total number of calendar days in a payment and/or enrollment period includes all days within the period, except that institutionally scheduled breaks of at least 5 consecutive calendar days and days in which the student was on an approved leave of absence are excluded from the total number of calendar days in a payment period and/or period of enrollment. Statement of Condition: During the audit, it was noted that the University used the incorrect number of completed days in the payment period or period of enrollment in calculating the percentage of the Title IV aid earned. Questioned Costs: This finding is monetary in nature. In the instances noted in testing, the total error identified is $1,992 in over-award. Extrapolation of this monetary error was not necessary as the 5 withdrawal students tested as part of the 2024 audit constitute the entire withdrawal population for the period under audit. This does not exceed the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 5 withdrawal student files, of which this significant deficiency applies to 1, indicating an error rate of 20.0%. This does exceed the reporting threshold of 10% for Federal Award Programs. Cause and Effect: For one withdrawal calculation performed, the day count for days completed by the student was not performed per the instructions described in the Student Financial Aid Handbook. The student identified was enrolled in multiple modules within the same term. The individual withdrew from all classes enrolled in the earlier module, returned at the start of the second module, and then withdrew from the latter module and therefore, the University. At this time, an R2T4 was completed and in calculating completed days for the student, the University did not reduce the calculation of calendar days completed for the break between the withdrawal from the first module and the beginning of the second module. The use of an incorrect number of completed calendar days results in a miscalculation of percentage of Title IV aid earned and may additionally result in monetary error. Recommendation: The University should ensure that the number of completed days in the payment period or period of enrollment are counted correctly utilizing the guidance provided by the Compliance Supplement and the Student Financial Aid Handbook. View of Responsible Officials: The University has determined that this matter constitutes a unique training situation involving the application of procedures related to the Return of Title IV funds. In particular, the University recognizes the need for enhanced training concerning the accurate counting of days when a student withdraws, provides written notification of their intent to attend a future module within the same term, and subsequently withdraws from that second module. The error in question arose from the miscalculation of days, where the University inadvertently counted all days in the initial module rather than counting only the days leading up to the student's initial withdrawal prior to the final withdrawal from the second module. This oversight was attributed to an individual employee, and the University has proactively implemented comprehensive training and procedural safeguards to prevent similar occurrences in the future.
Finding 2024-003
2024-003 Significant Deficiency: Direct Loan Limits (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) Criteria: In accordance with the Federal Student Aid Handbook, Volume 3, Chapter 3, you must determine an undergraduate student’s Pell Grant eligibility before originating a Direct Subsidized or Unsubsidized Loan for that student, and you must package Campus-Based funds and Direct Subsidized Loans before Direct Unsubsidized Loans. In addition, you must determine an undergraduate student’s maximum Direct Subsidized Loan eligibility before originating a Direct Unsubsidized Loan for the student. The student’s maximum annual loan limit increases as the student progresses to higher grade levels. Statement of Condition: During the audit, it was noted that the University did not fulfill maximum award of students’ Direct Subsidized Loan eligibility prior to awarding Unsubsidized Direct Loans. Questioned Costs: This finding is monetary in nature. In the instances noted in testing, the total error is $5,983 in under-award. Extrapolation of this monetary error estimates a total potential error of $54,614. This exceeds the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 32 files for undergraduate students who had received Unsubsidized Direct Loans, of which this significant deficiency applies to 3, indicating an error rate of 9.4%. This does not exceed the reporting threshold of 10% for Federal Award Programs. Recommendation: The University should institute processes and controls to ensure that the student eligibility is assessed properly based upon grade level progression and that maximum Subsidized Direct Loans are awarded prior to Unsubsidized Direct Loans, as this practice is more beneficial for the student. Cause and Effect: For one of the three students identified, the student was a transfer into the University from another institution for the 2023-24 school year. The student’s transcript was not received prior to awarding, so the student was awarded as a first-year student; once received, the award was not adjusted to reflect the credit hours previously earned by the student. Since the handbook states that the student eligibility must match the credit hours recognized academically by the receiving institution, this resulted in an under-award of Subsidized Direct Loans. For another of the three students identified, a system error resulted in an under-award. The error was not noticed by the responsible parties, so correction was not made, resulting in an under-award of Subsidized Direct Loans. For the final of the three students identified, the student received the full amount of aggregate annual Direct Loan eligibility as Unsubsidized Direct Loans. The student was a first-year student with adequate calculated need to receive the maximum Direct Subsidized Loans. This oversight results in an under-award of Subsidized Direct Loan, which should have been reclassified from Unsubsidized Direct Loans. View of Responsible Officials: The University has determined that this finding was caused by a deficiency in the software’s calculation of the subsidized award. Specifically, the software failed to update the student’s records following changes in circumstances that impacted the calculation of financial need. In response, the University has conducted a thorough evaluation and implemented new software designed to address this issue and ensure accurate calculations in future cases.
Finding 2024-004
2024-004 Significant Deficiency: Disbursement Notifications (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; U.S. Department of Education, Teacher Education Assistance for College and Higher Education Grants, ALN #84.379) (Repeat Finding: 2023-005) Criteria: In accordance with 34 CFR 668.165(a)(2), when a University credits a student’s account, the University must notify the student or parent of (i) the anticipated date and amount of the disbursement, (ii) the student’s or parent’s rights to cancel all or a portion of that loan or disbursement, and (iii) the procedures and time by which the student or parent must notify the University that he or she wishes to cancel the loan or disbursement. This communication must occur no earlier than 30 days before, and no later than seven days after, crediting the student’s ledger account at the institution if the institution does not obtain affirmative confirmation from the student. Statement of Condition: During the 2024 audit, it was noted that certain students who had received Direct Loan funds and/or TEACH grant funds did not receive disbursement notifications. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The 2024 audit included a detailed testing of 38 applicable student files, of which this significant deficiency applies to 13, indicating an error rate of 34.2%. Cause and Effect: Due to a system failure during the Spring semester, many students did not receive notification from the University of Direct Loan or TEACH Grant disbursements made to their account. This glitch was not recognized by the responsible parties in a timely manner to manually create and disburse such notification. The purpose of disbursement notifications is to provide information to students and parents regarding their accounts and options they may have concerning Title IV aid. Neglecting to provide the disbursement notifications may result in students or parents making uninformed decisions. Recommendation: The University should ensure system functionality periodically, specifically entering periods in which disbursements are concentrated, such as the beginning of the semester, to prevent lapses in mass. The University should also create a process to verify that disbursement notifications have been distributed as intended, so that any missed notices can be remedied timely. View of Responsible Officials: The University has taken a comprehensive and proactive approach to address this issue through two key initiatives. First, we have instituted a robust audit process designed to ensure the integrity and functionality of the system responsible for documenting sent emails. This process enables us to systematically verify that the system is operating as intended. Second, we have deployed advanced software solutions that serve to mitigate the risk of similar issues arising in the future. These combined measures reflect our commitment to ensuring operational reliability and preventing recurrence.
Finding 2024-004
2024-004 Significant Deficiency: Disbursement Notifications (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; U.S. Department of Education, Teacher Education Assistance for College and Higher Education Grants, ALN #84.379) (Repeat Finding: 2023-005) Criteria: In accordance with 34 CFR 668.165(a)(2), when a University credits a student’s account, the University must notify the student or parent of (i) the anticipated date and amount of the disbursement, (ii) the student’s or parent’s rights to cancel all or a portion of that loan or disbursement, and (iii) the procedures and time by which the student or parent must notify the University that he or she wishes to cancel the loan or disbursement. This communication must occur no earlier than 30 days before, and no later than seven days after, crediting the student’s ledger account at the institution if the institution does not obtain affirmative confirmation from the student. Statement of Condition: During the 2024 audit, it was noted that certain students who had received Direct Loan funds and/or TEACH grant funds did not receive disbursement notifications. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The 2024 audit included a detailed testing of 38 applicable student files, of which this significant deficiency applies to 13, indicating an error rate of 34.2%. Cause and Effect: Due to a system failure during the Spring semester, many students did not receive notification from the University of Direct Loan or TEACH Grant disbursements made to their account. This glitch was not recognized by the responsible parties in a timely manner to manually create and disburse such notification. The purpose of disbursement notifications is to provide information to students and parents regarding their accounts and options they may have concerning Title IV aid. Neglecting to provide the disbursement notifications may result in students or parents making uninformed decisions. Recommendation: The University should ensure system functionality periodically, specifically entering periods in which disbursements are concentrated, such as the beginning of the semester, to prevent lapses in mass. The University should also create a process to verify that disbursement notifications have been distributed as intended, so that any missed notices can be remedied timely. View of Responsible Officials: The University has taken a comprehensive and proactive approach to address this issue through two key initiatives. First, we have instituted a robust audit process designed to ensure the integrity and functionality of the system responsible for documenting sent emails. This process enables us to systematically verify that the system is operating as intended. Second, we have deployed advanced software solutions that serve to mitigate the risk of similar issues arising in the future. These combined measures reflect our commitment to ensuring operational reliability and preventing recurrence.
Finding 2024-002
2024-002 Significant Deficiency: Return to Title IV Funds (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; Federal Pell Grant Program, ALN #84.063) Criteria: In accordance with 34 CFR 668.22(f), in the calculation of the percentage of payment period and/or period of enrollment completed, the total number of calendar days in a payment and/or enrollment period includes all days within the period, except that institutionally scheduled breaks of at least 5 consecutive calendar days and days in which the student was on an approved leave of absence are excluded from the total number of calendar days in a payment period and/or period of enrollment. Statement of Condition: During the audit, it was noted that the University used the incorrect number of completed days in the payment period or period of enrollment in calculating the percentage of the Title IV aid earned. Questioned Costs: This finding is monetary in nature. In the instances noted in testing, the total error identified is $1,992 in over-award. Extrapolation of this monetary error was not necessary as the 5 withdrawal students tested as part of the 2024 audit constitute the entire withdrawal population for the period under audit. This does not exceed the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 5 withdrawal student files, of which this significant deficiency applies to 1, indicating an error rate of 20.0%. This does exceed the reporting threshold of 10% for Federal Award Programs. Cause and Effect: For one withdrawal calculation performed, the day count for days completed by the student was not performed per the instructions described in the Student Financial Aid Handbook. The student identified was enrolled in multiple modules within the same term. The individual withdrew from all classes enrolled in the earlier module, returned at the start of the second module, and then withdrew from the latter module and therefore, the University. At this time, an R2T4 was completed and in calculating completed days for the student, the University did not reduce the calculation of calendar days completed for the break between the withdrawal from the first module and the beginning of the second module. The use of an incorrect number of completed calendar days results in a miscalculation of percentage of Title IV aid earned and may additionally result in monetary error. Recommendation: The University should ensure that the number of completed days in the payment period or period of enrollment are counted correctly utilizing the guidance provided by the Compliance Supplement and the Student Financial Aid Handbook. View of Responsible Officials: The University has determined that this matter constitutes a unique training situation involving the application of procedures related to the Return of Title IV funds. In particular, the University recognizes the need for enhanced training concerning the accurate counting of days when a student withdraws, provides written notification of their intent to attend a future module within the same term, and subsequently withdraws from that second module. The error in question arose from the miscalculation of days, where the University inadvertently counted all days in the initial module rather than counting only the days leading up to the student's initial withdrawal prior to the final withdrawal from the second module. This oversight was attributed to an individual employee, and the University has proactively implemented comprehensive training and procedural safeguards to prevent similar occurrences in the future.
Finding 2024-001
2024-001 Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-001) Criteria: In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4. Statement of Condition: During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. An updated policy was put into place in July 2024, which addressed several of the deficiencies noted in the existing policy, but not all. The seven required elements for the GLBA policy are as follows, along with the status within each of the University’s policies in place during the year: 1. The policy designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. Both the existing policy and the newly implemented sufficiently address this attribute. Luke Edwards, IT director, and Tim Fisher, IT Systems Analyst, work together to oversee the information security program and implementation of additional facets. 2. The policy provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Additional risk assessments are planned to be performed every 2 years to reexamine reasonably foreseeable risks and to account for changes in cybersecurity controls. The next risk assessment shall be completed by December 31, 2025. 3. The policy provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), which are detailed as follows: 3.1. Implement and periodically review access controls. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, instituting a continuous monitoring process undertaken at periodic intervals. The University has contracted with a new software to assist with this, which is expected to be live by December 31, 2024. 3.2. Conduct a periodic inventory of data, noting where it is collected, stored or transmitted. Both the existing policy and the newly implemented policy are silent on this requirement. Resolution to this matter is expected to be addressed and incorporated into the policy by December 31, 2024. 3.3. Encrypt customer information on the institution’s system and when it is in transit. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. The University has had encryption in transit for several years but has not had encryption at rest. In October 2023, the University purchased licenses to enable encryption at rest and most virtual machines containing sensitive data were fully encrypted by April 30, 2024. The remaining virtual machines are planned to be encrypted by December 31, 2024. 3.4. Assess applications developed by the institution. Both the existing policy and the newly implemented policy are silent on this requirement. However, the University does not develop in-house applications for transmitting, accessing, or storing customer information. 3.5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. Both the existing policy and the newly implemented policy are silent on this requirement. However, the University utilizes multi-factor authentication on all connections to the server where student information system is accessed, as well as administrative and financial applications. 3.6. Dispose of customer information securely. Both the existing policy and the newly implemented policy are silent on this requirement. Evaluation of organizational data retention policies for effectiveness is ongoing and expected to be completed by December 31, 2024. Future evaluations for the effectiveness of data retention policies will take place every other year in a joint venture with the Finance and IT Departments. 3.7. Anticipate and evaluate changes to the information system or network. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. Official policies should be in place by December 31, 2024. 3.8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Both the existing policy and the newly implemented policy are silent on this requirement. Office 365 user logging has been in place; sign-ins to on-premises resources was implemented in March 2024. IT has processes in place for addressing suspicious activity. 4. The policy provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. 5. The policy provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. Both the existing policy and the newly implemented sufficiently address this attribute. Software has been purchased and implemented for continuous monitoring of vulnerabilities within organizational software. 6. The policy addresses how the institution will oversee its information system service providers. This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Collection of SOC2 security reports from vendors that have access to systems with student information is in progress. The collection and analysis of these reports is expected to be completed by December 31, 2024. Review of these reports is planned to be conducted annually, with requests for updated security reports every 3 years. 7. The policy provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Both the existing policy and the newly implemented sufficiently address this attribute. Status reports regarding facets of the information security policy are provided to senior leadership team members and to the board at least annually at their regularly scheduled meetings. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The 2024 audit included testing of the University’s Gramm-Leach-Bliley Act Policy as outlined in Part 5 of the Compliance Supplement including the application of this program for the year. Cause and Effect: During the current year, the responsible parties began putting procedures into place and drafted an updated policy to ensure deficiencies in the information security policy are addressed. As this process requires the coordination of multiple individuals, software systems, and approvals, the updates were unable to be completed by June 30, 2024. Recommendation: The University should continue to update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively and timely. View of Responsible Officials: The Johnson University IT Department has consistently worked to improve compliance with GLBA regulations since July 2023. The leadership of Johnson University has taken a proactive and measured approach to GLBA compliance that ensures a balance between reaching compliance quickly and reaching compliance with long-term strategic planning. This has led to a GLBA implementation that will take 2 or more years but will set up the university for long-term excellence in compliance and security. The University understands the importance of GLBA requirements and is committed to ensuring student data is protected from all foreseeable threats. It will continue to iterate on its GLBA corrective action plan to ensure proper compliance for long-term security.
Finding 2024-002
2024-002 Significant Deficiency: Return to Title IV Funds (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; Federal Pell Grant Program, ALN #84.063) Criteria: In accordance with 34 CFR 668.22(f), in the calculation of the percentage of payment period and/or period of enrollment completed, the total number of calendar days in a payment and/or enrollment period includes all days within the period, except that institutionally scheduled breaks of at least 5 consecutive calendar days and days in which the student was on an approved leave of absence are excluded from the total number of calendar days in a payment period and/or period of enrollment. Statement of Condition: During the audit, it was noted that the University used the incorrect number of completed days in the payment period or period of enrollment in calculating the percentage of the Title IV aid earned. Questioned Costs: This finding is monetary in nature. In the instances noted in testing, the total error identified is $1,992 in over-award. Extrapolation of this monetary error was not necessary as the 5 withdrawal students tested as part of the 2024 audit constitute the entire withdrawal population for the period under audit. This does not exceed the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 5 withdrawal student files, of which this significant deficiency applies to 1, indicating an error rate of 20.0%. This does exceed the reporting threshold of 10% for Federal Award Programs. Cause and Effect: For one withdrawal calculation performed, the day count for days completed by the student was not performed per the instructions described in the Student Financial Aid Handbook. The student identified was enrolled in multiple modules within the same term. The individual withdrew from all classes enrolled in the earlier module, returned at the start of the second module, and then withdrew from the latter module and therefore, the University. At this time, an R2T4 was completed and in calculating completed days for the student, the University did not reduce the calculation of calendar days completed for the break between the withdrawal from the first module and the beginning of the second module. The use of an incorrect number of completed calendar days results in a miscalculation of percentage of Title IV aid earned and may additionally result in monetary error. Recommendation: The University should ensure that the number of completed days in the payment period or period of enrollment are counted correctly utilizing the guidance provided by the Compliance Supplement and the Student Financial Aid Handbook. View of Responsible Officials: The University has determined that this matter constitutes a unique training situation involving the application of procedures related to the Return of Title IV funds. In particular, the University recognizes the need for enhanced training concerning the accurate counting of days when a student withdraws, provides written notification of their intent to attend a future module within the same term, and subsequently withdraws from that second module. The error in question arose from the miscalculation of days, where the University inadvertently counted all days in the initial module rather than counting only the days leading up to the student's initial withdrawal prior to the final withdrawal from the second module. This oversight was attributed to an individual employee, and the University has proactively implemented comprehensive training and procedural safeguards to prevent similar occurrences in the future.
Finding 2024-003
2024-003 Significant Deficiency: Direct Loan Limits (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) Criteria: In accordance with the Federal Student Aid Handbook, Volume 3, Chapter 3, you must determine an undergraduate student’s Pell Grant eligibility before originating a Direct Subsidized or Unsubsidized Loan for that student, and you must package Campus-Based funds and Direct Subsidized Loans before Direct Unsubsidized Loans. In addition, you must determine an undergraduate student’s maximum Direct Subsidized Loan eligibility before originating a Direct Unsubsidized Loan for the student. The student’s maximum annual loan limit increases as the student progresses to higher grade levels. Statement of Condition: During the audit, it was noted that the University did not fulfill maximum award of students’ Direct Subsidized Loan eligibility prior to awarding Unsubsidized Direct Loans. Questioned Costs: This finding is monetary in nature. In the instances noted in testing, the total error is $5,983 in under-award. Extrapolation of this monetary error estimates a total potential error of $54,614. This exceeds the $25,000 reporting threshold for monetary error within Federal Award Programs. Perspective Information: The audit included a detailed testing of 32 files for undergraduate students who had received Unsubsidized Direct Loans, of which this significant deficiency applies to 3, indicating an error rate of 9.4%. This does not exceed the reporting threshold of 10% for Federal Award Programs. Recommendation: The University should institute processes and controls to ensure that the student eligibility is assessed properly based upon grade level progression and that maximum Subsidized Direct Loans are awarded prior to Unsubsidized Direct Loans, as this practice is more beneficial for the student. Cause and Effect: For one of the three students identified, the student was a transfer into the University from another institution for the 2023-24 school year. The student’s transcript was not received prior to awarding, so the student was awarded as a first-year student; once received, the award was not adjusted to reflect the credit hours previously earned by the student. Since the handbook states that the student eligibility must match the credit hours recognized academically by the receiving institution, this resulted in an under-award of Subsidized Direct Loans. For another of the three students identified, a system error resulted in an under-award. The error was not noticed by the responsible parties, so correction was not made, resulting in an under-award of Subsidized Direct Loans. For the final of the three students identified, the student received the full amount of aggregate annual Direct Loan eligibility as Unsubsidized Direct Loans. The student was a first-year student with adequate calculated need to receive the maximum Direct Subsidized Loans. This oversight results in an under-award of Subsidized Direct Loan, which should have been reclassified from Unsubsidized Direct Loans. View of Responsible Officials: The University has determined that this finding was caused by a deficiency in the software’s calculation of the subsidized award. Specifically, the software failed to update the student’s records following changes in circumstances that impacted the calculation of financial need. In response, the University has conducted a thorough evaluation and implemented new software designed to address this issue and ensure accurate calculations in future cases.
Finding 2024-004
2024-004 Significant Deficiency: Disbursement Notifications (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; U.S. Department of Education, Teacher Education Assistance for College and Higher Education Grants, ALN #84.379) (Repeat Finding: 2023-005) Criteria: In accordance with 34 CFR 668.165(a)(2), when a University credits a student’s account, the University must notify the student or parent of (i) the anticipated date and amount of the disbursement, (ii) the student’s or parent’s rights to cancel all or a portion of that loan or disbursement, and (iii) the procedures and time by which the student or parent must notify the University that he or she wishes to cancel the loan or disbursement. This communication must occur no earlier than 30 days before, and no later than seven days after, crediting the student’s ledger account at the institution if the institution does not obtain affirmative confirmation from the student. Statement of Condition: During the 2024 audit, it was noted that certain students who had received Direct Loan funds and/or TEACH grant funds did not receive disbursement notifications. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The 2024 audit included a detailed testing of 38 applicable student files, of which this significant deficiency applies to 13, indicating an error rate of 34.2%. Cause and Effect: Due to a system failure during the Spring semester, many students did not receive notification from the University of Direct Loan or TEACH Grant disbursements made to their account. This glitch was not recognized by the responsible parties in a timely manner to manually create and disburse such notification. The purpose of disbursement notifications is to provide information to students and parents regarding their accounts and options they may have concerning Title IV aid. Neglecting to provide the disbursement notifications may result in students or parents making uninformed decisions. Recommendation: The University should ensure system functionality periodically, specifically entering periods in which disbursements are concentrated, such as the beginning of the semester, to prevent lapses in mass. The University should also create a process to verify that disbursement notifications have been distributed as intended, so that any missed notices can be remedied timely. View of Responsible Officials: The University has taken a comprehensive and proactive approach to address this issue through two key initiatives. First, we have instituted a robust audit process designed to ensure the integrity and functionality of the system responsible for documenting sent emails. This process enables us to systematically verify that the system is operating as intended. Second, we have deployed advanced software solutions that serve to mitigate the risk of similar issues arising in the future. These combined measures reflect our commitment to ensuring operational reliability and preventing recurrence.
Finding 2024-004
2024-004 Significant Deficiency: Disbursement Notifications (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; U.S. Department of Education, Teacher Education Assistance for College and Higher Education Grants, ALN #84.379) (Repeat Finding: 2023-005) Criteria: In accordance with 34 CFR 668.165(a)(2), when a University credits a student’s account, the University must notify the student or parent of (i) the anticipated date and amount of the disbursement, (ii) the student’s or parent’s rights to cancel all or a portion of that loan or disbursement, and (iii) the procedures and time by which the student or parent must notify the University that he or she wishes to cancel the loan or disbursement. This communication must occur no earlier than 30 days before, and no later than seven days after, crediting the student’s ledger account at the institution if the institution does not obtain affirmative confirmation from the student. Statement of Condition: During the 2024 audit, it was noted that certain students who had received Direct Loan funds and/or TEACH grant funds did not receive disbursement notifications. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The 2024 audit included a detailed testing of 38 applicable student files, of which this significant deficiency applies to 13, indicating an error rate of 34.2%. Cause and Effect: Due to a system failure during the Spring semester, many students did not receive notification from the University of Direct Loan or TEACH Grant disbursements made to their account. This glitch was not recognized by the responsible parties in a timely manner to manually create and disburse such notification. The purpose of disbursement notifications is to provide information to students and parents regarding their accounts and options they may have concerning Title IV aid. Neglecting to provide the disbursement notifications may result in students or parents making uninformed decisions. Recommendation: The University should ensure system functionality periodically, specifically entering periods in which disbursements are concentrated, such as the beginning of the semester, to prevent lapses in mass. The University should also create a process to verify that disbursement notifications have been distributed as intended, so that any missed notices can be remedied timely. View of Responsible Officials: The University has taken a comprehensive and proactive approach to address this issue through two key initiatives. First, we have instituted a robust audit process designed to ensure the integrity and functionality of the system responsible for documenting sent emails. This process enables us to systematically verify that the system is operating as intended. Second, we have deployed advanced software solutions that serve to mitigate the risk of similar issues arising in the future. These combined measures reflect our commitment to ensuring operational reliability and preventing recurrence.