FAC Explorer

Audit 336229

FY End
2024-06-30
Total Expended
$10.63M
Findings
48
Programs
7
Organization: Mount Mercy University (IA)
Year: 2024 Accepted: 2025-01-07
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
517958 2024-001 Significant Deficiency Yes L
517959 2024-001 Significant Deficiency Yes L
517960 2024-001 Significant Deficiency Yes L
517961 2024-001 Significant Deficiency Yes L
517962 2024-001 Significant Deficiency Yes L
517963 2024-001 Significant Deficiency Yes L
517964 2024-001 Significant Deficiency Yes L
517965 2024-001 Significant Deficiency Yes L
517966 2024-002 Significant Deficiency Yes N
517967 2024-002 Significant Deficiency Yes N
517968 2024-002 Significant Deficiency Yes N
517969 2024-002 Significant Deficiency Yes N
517970 2024-002 Significant Deficiency Yes N
517971 2024-002 Significant Deficiency Yes N
517972 2024-002 Significant Deficiency Yes N
517973 2024-002 Significant Deficiency Yes N
517974 2024-003 Significant Deficiency Yes N
517975 2024-003 Significant Deficiency Yes N
517976 2024-003 Significant Deficiency Yes N
517977 2024-003 Significant Deficiency Yes N
517978 2024-003 Significant Deficiency Yes N
517979 2024-003 Significant Deficiency Yes N
517980 2024-003 Significant Deficiency Yes N
517981 2024-003 Significant Deficiency Yes N
1094400 2024-001 Significant Deficiency Yes L
1094401 2024-001 Significant Deficiency Yes L
1094402 2024-001 Significant Deficiency Yes L
1094403 2024-001 Significant Deficiency Yes L
1094404 2024-001 Significant Deficiency Yes L
1094405 2024-001 Significant Deficiency Yes L
1094406 2024-001 Significant Deficiency Yes L
1094407 2024-001 Significant Deficiency Yes L
1094408 2024-002 Significant Deficiency Yes N
1094409 2024-002 Significant Deficiency Yes N
1094410 2024-002 Significant Deficiency Yes N
1094411 2024-002 Significant Deficiency Yes N
1094412 2024-002 Significant Deficiency Yes N
1094413 2024-002 Significant Deficiency Yes N
1094414 2024-002 Significant Deficiency Yes N
1094415 2024-002 Significant Deficiency Yes N
1094416 2024-003 Significant Deficiency Yes N
1094417 2024-003 Significant Deficiency Yes N
1094418 2024-003 Significant Deficiency Yes N
1094419 2024-003 Significant Deficiency Yes N
1094420 2024-003 Significant Deficiency Yes N
1094421 2024-003 Significant Deficiency Yes N
1094422 2024-003 Significant Deficiency Yes N
1094423 2024-003 Significant Deficiency Yes N

Programs

ALN Program Spent Major Findings
84.063 Federal Pell Grant Program $1.72M Yes 3
84.268 Federal Direct Student Loans $1.26M Yes 3
84.038 Perkins Loan Program $386,945 Yes 3
84.033 Federal Work-Study Program $171,603 Yes 3
84.007 Federal Supplemental Educational Opportunity Grants $118,124 Yes 3
93.264 Nurse Faculty Loan Program (nflp) $104,129 Yes 3
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $54,694 Yes 0

Contacts

Name Title Type
HVXGEGDQK9U8 Brittney Burmahl Auditee
3193631323 Chad Lassen Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: Expenditures recognized on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The University has not elected to use the 10% de minimis indirect cost rate as allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Mount Mercy University (the University) under programs of the federal government for the year ended June 30, 2024. The information in the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the University, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the University.
Title: LOAN PROGRAMS Accounting Policies: Expenditures recognized on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The University has not elected to use the 10% de minimis indirect cost rate as allowed under the Uniform Guidance. At June 30, 2024, the University had the following federal loan program receivables from participating students: Program Title/ Assistance ListingNumber / Amount Outstanding Federal Perkins Loan Program / 84.038 / $72,589 Federal Nurse Faculty Educator Loan Program / 93.264 / $52,569 There was no federal capital contribution received for the Federal Perkins Loan Program or Federal Nurse Faculty Educator Loan Program during the year ended June 30, 2024. There were no Federal Perkins Loans or Federal Nurse Faculty Education Loans made during the year. During the year ended June 30, 2024, the University issued new loans to students under the Federal Direct Loan Program (FDLP). The loan program includes subsidized and unsubsidized Stafford Loans, Parent PLUS Loans, and PLUS Loans for graduate students. The value of loans issued for the FDLP is based on disbursed amounts. The loan amounts issued during the year are disclosed in the Schedule. The University is responsible only for the performance of certain administrative duties with respect to the federally guaranteed student loan programs and accordingly, balances and transactions relating to these loan programs are not included in the University’s basic financial statements. Therefore, it is not practicable to determine the balance of loans outstanding to these students and former students of the University at June 30, 2024.
Title: STUDENT FINANCIAL AID INSTITUTIONAL AND PROGRAM ELIGIBILITY METRICS Accounting Policies: Expenditures recognized on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The University has not elected to use the 10% de minimis indirect cost rate as allowed under the Uniform Guidance. The University is in compliance with the following institutional and program eligibility requirements under the Higher Education Act of 1965 and Federal regulations under 34 CFR 668.23: • Correspondence courses the institution offers under 34 CFR 600.7(b) and (g) • Regular students that enroll in correspondence courses under 34 CFR 600.7(b) and (g) • Institution’s regular students that are incarcerated under 34 CFR 600.7(c) and (g) • Completion rates for confined or incarcerated individuals enrolled in non-degree programs at nonprofit institutions under 34 CFR 600.7(c)(3)(ii) and (g) • Institution’s regular students that lack a high school diploma or its equivalent under 34 CFR 600.7(d) and (g) • Completion rates for short-term programs under 34 CFR 668.8(f) and (g) • Placement rates for short-term programs under https://www.ecfr.gov/current/title-34/subtitle-B/chapter-VI/part-668/subpart-A/section-668.8 34 CFR 668.8(e)(2)

Finding Details

Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-001
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 685.309 requires that enrollment status changes for students be reported to NSLDS within 30 days or within 60 days if the student with the status change will be reported on a scheduled transmission within 60 days of the change in status. Condition: During our testing of the Direct Loan and Pell Grant programs, we selected a sample of students to test for timeliness of reporting student status changes to the National Student Loan Data System (NSLDS). During our testing, we noted that 4 out of 40 students did not have their enrollment status timely reported. Questioned Costs: None reported Context: The students did not notify the University of their intent not to return, so they were not identified until the start of the next semester. Cause: The University does not have a process in place to identify non-returning students timely. Effect: The NSLDS system is not updated with the student information which can cause over awarding should the student transfer to another institution and the students may not properly enter the repayment period. Repeat Finding: Yes Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-002
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Code of Federal Regulations, 34 CFR 674.19(e) states that Institutions must retain original, true and exact copies of promissory and master promissory notes (MPN), repayment records, and cancellation and deferment requests for each Perkins loan made. An original electronically signed MPN must be retained by the institution for three years after all the loans made on the MPN are satisfied. Condition: During our testing, we noted for 3 out of 49 Perkins files tested, the MPN was not retained on file. These files were paid in full and the original MPN was sent to the borrower with the paid in full communication. Questioned Costs: None reported Context: The MPNs for the three students were not kept for at least three years as required by the regulation. Cause: The loans were paid in full, and the University was not aware of the requirement to retain a copy of the MPN for at least three years after the loan was satisfied. Effect: The University was not in compliance with the Perkins recordkeeping regulations. Repeat Finding: Yes Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Assistance Listing Number: 84.038, 84.268, 84.033, 84.007, 84.063, 84.268, 93.264 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matter Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: Under a University’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: None reported Context: During our audit procedures, it was noted that the University’s Written Information Security Program was not evaluated and adjusted based on monitoring results, risk assessments and penetration tests within the audit period. Cause: The University has not created appropriate policies that address all GLBA Safeguard Rules. Effect: The students’ personal information could be vulnerable. Repeat Finding: Yes Recommendation: We recommend that the University review each element of GLBA to ensure compliance with all necessary requirements. Views of Responsible Officials: There is no disagreement with the audit finding.