FAC Explorer

Audit 33926

FY End
2022-06-30
Total Expended
$249.90M
Findings
6
Programs
90
Organization: The Medical College of Wisconsin, INC (WI)
Year: 2022 Accepted: 2023-02-20
Auditor: Kpmg LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
30137 2022-002 Significant Deficiency Yes P
30138 2022-002 Significant Deficiency Yes P
30139 2022-002 Significant Deficiency Yes P
606579 2022-002 Significant Deficiency Yes P
606580 2022-002 Significant Deficiency Yes P
606581 2022-002 Significant Deficiency Yes P

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $49.06M Yes 1
93.498 Provider Relief Fund $33.08M Yes 0
93.837 Cardiovascular Diseases Research $21.76M - 0
93.839 Blood Diseases and Resources Research $14.90M - 0
93.847 Diabetes, Digestive, and Kidney Diseases Extramural Research $10.05M - 0
93.395 Cancer Treatment Research $8.69M - 0
93.342 Health Professions Student Loans, Including Primary Care Loans/loans for Disadvantaged Students $8.36M Yes 1
93.853 Extramural Research Programs in the Neurosciences and Neurological Disorders $5.61M - 0
93.859 Biomedical Research and Research Training $5.42M - 0
93.867 Vision Research $4.26M - 0
12.420 Military Medical Research and Development $3.24M - 0
93.310 Trans-Nih Research Support $3.08M - 0
93.279 Drug Abuse and Addiction Research Programs $2.72M - 0
93.394 Cancer Detection and Diagnosis Research $2.67M - 0
93.242 Mental Health Research Grants $2.57M - 0
93.865 Child Health and Human Development Extramural Research $2.53M - 0
93.393 Cancer Cause and Prevention Research $2.34M - 0
93.396 Cancer Biology Research $2.33M - 0
84.038 Federal Perkins Loan Program $2.10M Yes 1
93.838 Lung Diseases Research $1.82M - 0
93.353 21st Century Cures Act - Beau Biden Cancer Moonshot $1.63M - 0
93.361 Nursing Research $972,233 - 0
93.866 Aging Research $933,309 - 0
93.173 Research Related to Deafness and Communication Disorders $927,533 - 0
20.RD National Highway Traffic Safety Administration (nhtsa) $801,245 - 0
93.RD Substance Abuse and Mental Health Services Administration $729,731 - 0
93.398 Cancer Research Manpower $624,033 - 0
43.003 Exploration $596,291 - 0
93.RD Centers for Medicare and Medicaid Services $591,262 - 0
93.247 Advanced Nursing Education Grant Program $529,985 - 0
12.431 Basic Scientific Research $513,775 - 0
93.233 National Center on Sleep Disorders Research $465,647 - 0
93.307 Minority Health and Health Disparities Research $452,293 - 0
93.137 Community Programs to Improve Minority Health Grant Program $385,734 - 0
12.RD Department of the Navy $328,807 - 0
16.RD Bureau of Justice Assistance $246,830 - 0
12.RD Uniformed Services University of the Health Sciences $233,833 - 0
93.959 Block Grants for Prevention and Treatment of Substance Abuse $229,574 - 0
93.186 National Research Service Award in Primary Care Medicine $223,539 - 0
93.213 Research and Training in Complementary and Integrative Health $214,624 - 0
93.286 Discovery and Applied Research for Technological Innovations to Improve Human Health $211,595 - 0
93.121 Oral Diseases and Disorders Research $206,388 - 0
93.994 Maternal and Child Health Services Block Grant to the States $202,854 - 0
14.218 Community Development Block Grants/entitlement Grants $200,052 - 0
93.113 Environmental Health $185,894 - 0
93.080 Blood Disorder Program: Prevention, Surveillance, and Research $181,092 - 0
93.855 Allergy, Immunology and Transplantation Research $176,660 - 0
93.RD Agency for Healthcare Research and Quality $168,128 - 0
93.846 Arthritis, Musculoskeletal and Skin Diseases Research $156,889 - 0
21.019 Coronavirus Relief Fund $133,494 Yes 0
47.075 Social, Behavioral, and Economic Sciences $113,242 - 0
93.134 Grants to Increase Organ Donations $109,766 - 0
93.RD Centers for Disease Control and Prevention $84,636 - 0
16.RD U.s. Department of Justice $84,302 - 0
93.RD Office of the Secretary $82,021 - 0
93.092 Affordable Care Act (aca) Personal Responsibility Education Program $80,486 - 0
64.RD U.s. Department of Veterans Affairs $73,465 - 0
93.461 Covid-19 Testing for the Uninsured $71,799 - 0
93.977 Preventive Health Services_sexually Transmitted Diseases Control Grants $66,872 - 0
47.049 Mathematical and Physical Sciences $61,998 - 0
93.243 Substance Abuse and Mental Health Services_projects of Regional and National Significance $61,995 - 0
93.576 Refugee and Entrant Assistance_discretionary Grants $52,388 - 0
93.350 National Center for Advancing Translational Sciences $51,516 - 0
21.027 Coronavirus State and Local Fiscal Recovery Funds $49,222 - 0
93.889 National Bioterrorism Hospital Preparedness Program $48,860 - 0
10.310 Agriculture and Food Research Initiative (afri) $46,683 - 0
93.351 Research Infrastructure Programs $42,770 - 0
45.162 Promotion of the Humanities_teaching and Learning Resources and Curriculum Development $38,675 - 0
64.034 Va Assistance to United States Paralympic Integrated Adaptive Sports Program $37,000 - 0
93.426 Improving the Health of Americans Through Prevention and Management of Diabetes and Heart Disease and Stroke $34,109 - 0
20.108 Aviation Research Grants $32,517 - 0
93.074 Hospital Preparedness Program (hpp) and Public Health Emergency Preparedness (phep) Aligned Cooperative Agreements $29,664 - 0
16.817 Byrne Criminal Justice Innovation Program $29,655 - 0
93.110 Maternal and Child Health Federal Consolidated Programs $29,244 - 0
12.RD U.s. Army Medical Command $27,291 - 0
93.136 Injury Prevention and Control Research and State and Community Based Programs $23,556 - 0
84.425 Education Stabilization Fund $21,679 - 0
93.RD Food and Drug Administration $19,458 - 0
47.076 Education and Human Resources $17,629 - 0
93.RD Health Resources and Services Administration (hrsa) $8,674 - 0
93.RD Administration for Community Living $6,464 - 0
93.778 Medical Assistance Program $6,179 - 0
93.153 Coordinated Services and Access to Research for Women, Infants, Children, and Youth $6,172 - 0
93.RD National Institutes of Health (nih) $3,522 - 0
93.940 Hiv Prevention Activities_health Department Based $2,676 - 0
47.074 Biological Sciences $1,696 - 0
93.566 Refugee and Entrant Assistance_state Administered Programs $1,131 - 0
93.917 Hiv Care Formula Grants $668 - 0
98.001 Usaid Foreign Assistance for Programs Overseas $594 - 0
47.RD National Science Foundation $-7,263 - 0

Contacts

Name Title Type
E8VWJXMMUQ67 Pamela Stanick Auditee
4149558506 Charles D Klescewski Auditor
No contacts on file

Notes to SEFA

Title: (5) Federal Government Student Loan Programs Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: MCW and federal agencies use a facilities and administrative cost rate to charge facilities and administrative costs to individual sponsored projects. The rate is the result of a number of complex cost allocation procedures that MCW uses to allocate its facilities and administrative costs to both sponsored and non-sponsored activities. The costs allocated to sponsored projects are divided by the direct costs of sponsored projects to arrive at a rate. The U.S. Department of Health and Human Services (DHHS) must approve the rate before MCW can use it to charge facilities and administrative costs to federally sponsored projects. MCW has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The Perkins, Primary Care, and Health Professions Student Loan Programs are administered directly by MCW, and balances and transactions relating to these programs are included in MCWs consolidated financial statements. Loans outstanding at the beginning of the year, loans made during the year, and administrative charges are included in the federal expenditures presented in the Schedule. The balance of loans outstanding under the Perkins, Primary Care, and Health Professions Student Loan Programs was $1,511,692, $6,711,836, and $836,802 respectively, at June 30, 2022.MCW is responsible only for the performance of certain administrative duties with respect to the federally guaranteed Direct Loan Program, and accordingly, these loans are not included in its consolidated financial statements. It is not practical to determine the balance of loans outstanding to students and former students of MCW under these programs at June 30, 2022.
Title: (3) Federal Major Programs Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: MCW and federal agencies use a facilities and administrative cost rate to charge facilities and administrative costs to individual sponsored projects. The rate is the result of a number of complex cost allocation procedures that MCW uses to allocate its facilities and administrative costs to both sponsored and non-sponsored activities. The costs allocated to sponsored projects are divided by the direct costs of sponsored projects to arrive at a rate. The U.S. Department of Health and Human Services (DHHS) must approve the rate before MCW can use it to charge facilities and administrative costs to federally sponsored projects. MCW has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. Student Financial Assistance Program ClusterMCW receives awards to make loans to eligible students under certain federal student loan programs, and federally guaranteed loans are issued to the students of MCW through the Department of Educations Direct Loan Program. These loans are considered for purposes of determining whether student financial assistance is a major program under Uniform Guidance; Perkins, Primary Care, and Health Professions Student Loans outstanding at the beginning of the year, loans made during the year, and administrative charges are included in the federal expenditures presented in the Schedule, in addition to Direct Loan Program disbursements. The student financial assistance category does not include programs that provide fellowships or similar awards to students on a competitive basis. Those programs are classified either as research and development or as nonmajor programs.Provider Relief FundThe Provider Relief Fund (PRF) program is administered by the Health Resources and Services Administration to support eligible providers during the COVID 19 pandemic and was approved for funding originally under the Coronavirus Aid, Relief and Economic Securities Act. PRF funds were provided to eligible providers to support healthcare related expenses or lost revenues attributable to the Coronavirus without application but rather with terms and conditions. These terms and conditions required acceptance through an online portal. MCW accepted the terms and conditions. The accompanying schedule of expenditures of Federal awards includes PRF funds for Periods 2 and 3 defined as payments received between July 1, 2020 to June 30, 2021.
Title: (4) Research and Development Program Cluster Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: MCW and federal agencies use a facilities and administrative cost rate to charge facilities and administrative costs to individual sponsored projects. The rate is the result of a number of complex cost allocation procedures that MCW uses to allocate its facilities and administrative costs to both sponsored and non-sponsored activities. The costs allocated to sponsored projects are divided by the direct costs of sponsored projects to arrive at a rate. The U.S. Department of Health and Human Services (DHHS) must approve the rate before MCW can use it to charge facilities and administrative costs to federally sponsored projects. MCW has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. Research and development programs include those awards that are for basic and applied research and development activities, including all awards issued by the National Institutes of Health. The Uniform Guidance defines research and development as follows: research is the systematic study directed toward fuller scientific knowledge or understanding of the subject studied; development is the systematic use of knowledge and understanding gained from research directed toward the production of useful materials, devices, systems, or methods, including design and development of prototypes and processes.

Finding Details

Finding 2022-002
Finding 2022-02 General Information Technology Controls Federal Agency: U.S. Department of Education Program Name: Student Financial Aid Cluster CFDA Number: Various Grant Identification Number: Various Grant Award Period: July 1, 2021 through June 30, 2022 Criteria The 2 CFR Section 200.303 requires that non federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition Found During test work performed over the Student Financial Aid Cluster, we noted that within the student information system (the system), certain general information technology controls surrounding change management and user access appeared to be missing or ineffectively designed. Specifically, users with certain administrative access rights have access to the underlying source code of the system and could implement changes directly in the system. There were no monitoring controls over these accounts regarding source code changes. In addition, the password to certain administrative accounts that are used to provision/de provision user access is not routinely changed, and thus could result in employees with inappropriate access. Cause A new student information system was implemented resulting in controls which previously were manual in nature, being replaced with automated controls within the system. As automated control reliance on the system increased, monitoring of system changes and policies surrounding access to administrator and super user accounts were not adequately considered or developed consistent with overall information technology policies and procedures in place at MCW. Effect If controls surrounding change management and user access are ineffectively designed, student financial aid may be disbursed in the incorrect amount or to a student who does not meet the eligibility requirements as stated in the Compliance Supplement. Questioned Costs None Statistically Valid Sample The sample was not intended to be, and was not, a statistically valid sample Repeat Finding Yes Recommendation We recommend MCW implement policies and procedures over monitoring of student financial aid system changes and user access. Management?s Response While manual controls mitigated the disbursement of an incorrect amount or disbursement to a student who does not meet the eligibility requirements, MCW concurs and has put significant effort into adding additional change management and user access controls to the student information system. As stated above, these conditions occurred when MCW changed student information systems and began relying more heavily on automated controls within the student information system, instead of solely relying on manual controls outside of the system. Two areas that needed to be addressed were related to general information technology controls: 1. Users with certain administrative access rights have access to the underlying source code of the system and lack monitoring controls over these accounts regarding source code changes. 2. Password requirements for certain administrative accounts were not routinely changed. As of May 10, 2022, MCW implemented controls to address the matters noted above.
Finding 2022-002
Finding 2022-02 General Information Technology Controls Federal Agency: U.S. Department of Education Program Name: Student Financial Aid Cluster CFDA Number: Various Grant Identification Number: Various Grant Award Period: July 1, 2021 through June 30, 2022 Criteria The 2 CFR Section 200.303 requires that non federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition Found During test work performed over the Student Financial Aid Cluster, we noted that within the student information system (the system), certain general information technology controls surrounding change management and user access appeared to be missing or ineffectively designed. Specifically, users with certain administrative access rights have access to the underlying source code of the system and could implement changes directly in the system. There were no monitoring controls over these accounts regarding source code changes. In addition, the password to certain administrative accounts that are used to provision/de provision user access is not routinely changed, and thus could result in employees with inappropriate access. Cause A new student information system was implemented resulting in controls which previously were manual in nature, being replaced with automated controls within the system. As automated control reliance on the system increased, monitoring of system changes and policies surrounding access to administrator and super user accounts were not adequately considered or developed consistent with overall information technology policies and procedures in place at MCW. Effect If controls surrounding change management and user access are ineffectively designed, student financial aid may be disbursed in the incorrect amount or to a student who does not meet the eligibility requirements as stated in the Compliance Supplement. Questioned Costs None Statistically Valid Sample The sample was not intended to be, and was not, a statistically valid sample Repeat Finding Yes Recommendation We recommend MCW implement policies and procedures over monitoring of student financial aid system changes and user access. Management?s Response While manual controls mitigated the disbursement of an incorrect amount or disbursement to a student who does not meet the eligibility requirements, MCW concurs and has put significant effort into adding additional change management and user access controls to the student information system. As stated above, these conditions occurred when MCW changed student information systems and began relying more heavily on automated controls within the student information system, instead of solely relying on manual controls outside of the system. Two areas that needed to be addressed were related to general information technology controls: 1. Users with certain administrative access rights have access to the underlying source code of the system and lack monitoring controls over these accounts regarding source code changes. 2. Password requirements for certain administrative accounts were not routinely changed. As of May 10, 2022, MCW implemented controls to address the matters noted above.
Finding 2022-002
Finding 2022-02 General Information Technology Controls Federal Agency: U.S. Department of Education Program Name: Student Financial Aid Cluster CFDA Number: Various Grant Identification Number: Various Grant Award Period: July 1, 2021 through June 30, 2022 Criteria The 2 CFR Section 200.303 requires that non federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition Found During test work performed over the Student Financial Aid Cluster, we noted that within the student information system (the system), certain general information technology controls surrounding change management and user access appeared to be missing or ineffectively designed. Specifically, users with certain administrative access rights have access to the underlying source code of the system and could implement changes directly in the system. There were no monitoring controls over these accounts regarding source code changes. In addition, the password to certain administrative accounts that are used to provision/de provision user access is not routinely changed, and thus could result in employees with inappropriate access. Cause A new student information system was implemented resulting in controls which previously were manual in nature, being replaced with automated controls within the system. As automated control reliance on the system increased, monitoring of system changes and policies surrounding access to administrator and super user accounts were not adequately considered or developed consistent with overall information technology policies and procedures in place at MCW. Effect If controls surrounding change management and user access are ineffectively designed, student financial aid may be disbursed in the incorrect amount or to a student who does not meet the eligibility requirements as stated in the Compliance Supplement. Questioned Costs None Statistically Valid Sample The sample was not intended to be, and was not, a statistically valid sample Repeat Finding Yes Recommendation We recommend MCW implement policies and procedures over monitoring of student financial aid system changes and user access. Management?s Response While manual controls mitigated the disbursement of an incorrect amount or disbursement to a student who does not meet the eligibility requirements, MCW concurs and has put significant effort into adding additional change management and user access controls to the student information system. As stated above, these conditions occurred when MCW changed student information systems and began relying more heavily on automated controls within the student information system, instead of solely relying on manual controls outside of the system. Two areas that needed to be addressed were related to general information technology controls: 1. Users with certain administrative access rights have access to the underlying source code of the system and lack monitoring controls over these accounts regarding source code changes. 2. Password requirements for certain administrative accounts were not routinely changed. As of May 10, 2022, MCW implemented controls to address the matters noted above.
Finding 2022-002
Finding 2022-02 General Information Technology Controls Federal Agency: U.S. Department of Education Program Name: Student Financial Aid Cluster CFDA Number: Various Grant Identification Number: Various Grant Award Period: July 1, 2021 through June 30, 2022 Criteria The 2 CFR Section 200.303 requires that non federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition Found During test work performed over the Student Financial Aid Cluster, we noted that within the student information system (the system), certain general information technology controls surrounding change management and user access appeared to be missing or ineffectively designed. Specifically, users with certain administrative access rights have access to the underlying source code of the system and could implement changes directly in the system. There were no monitoring controls over these accounts regarding source code changes. In addition, the password to certain administrative accounts that are used to provision/de provision user access is not routinely changed, and thus could result in employees with inappropriate access. Cause A new student information system was implemented resulting in controls which previously were manual in nature, being replaced with automated controls within the system. As automated control reliance on the system increased, monitoring of system changes and policies surrounding access to administrator and super user accounts were not adequately considered or developed consistent with overall information technology policies and procedures in place at MCW. Effect If controls surrounding change management and user access are ineffectively designed, student financial aid may be disbursed in the incorrect amount or to a student who does not meet the eligibility requirements as stated in the Compliance Supplement. Questioned Costs None Statistically Valid Sample The sample was not intended to be, and was not, a statistically valid sample Repeat Finding Yes Recommendation We recommend MCW implement policies and procedures over monitoring of student financial aid system changes and user access. Management?s Response While manual controls mitigated the disbursement of an incorrect amount or disbursement to a student who does not meet the eligibility requirements, MCW concurs and has put significant effort into adding additional change management and user access controls to the student information system. As stated above, these conditions occurred when MCW changed student information systems and began relying more heavily on automated controls within the student information system, instead of solely relying on manual controls outside of the system. Two areas that needed to be addressed were related to general information technology controls: 1. Users with certain administrative access rights have access to the underlying source code of the system and lack monitoring controls over these accounts regarding source code changes. 2. Password requirements for certain administrative accounts were not routinely changed. As of May 10, 2022, MCW implemented controls to address the matters noted above.
Finding 2022-002
Finding 2022-02 General Information Technology Controls Federal Agency: U.S. Department of Education Program Name: Student Financial Aid Cluster CFDA Number: Various Grant Identification Number: Various Grant Award Period: July 1, 2021 through June 30, 2022 Criteria The 2 CFR Section 200.303 requires that non federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition Found During test work performed over the Student Financial Aid Cluster, we noted that within the student information system (the system), certain general information technology controls surrounding change management and user access appeared to be missing or ineffectively designed. Specifically, users with certain administrative access rights have access to the underlying source code of the system and could implement changes directly in the system. There were no monitoring controls over these accounts regarding source code changes. In addition, the password to certain administrative accounts that are used to provision/de provision user access is not routinely changed, and thus could result in employees with inappropriate access. Cause A new student information system was implemented resulting in controls which previously were manual in nature, being replaced with automated controls within the system. As automated control reliance on the system increased, monitoring of system changes and policies surrounding access to administrator and super user accounts were not adequately considered or developed consistent with overall information technology policies and procedures in place at MCW. Effect If controls surrounding change management and user access are ineffectively designed, student financial aid may be disbursed in the incorrect amount or to a student who does not meet the eligibility requirements as stated in the Compliance Supplement. Questioned Costs None Statistically Valid Sample The sample was not intended to be, and was not, a statistically valid sample Repeat Finding Yes Recommendation We recommend MCW implement policies and procedures over monitoring of student financial aid system changes and user access. Management?s Response While manual controls mitigated the disbursement of an incorrect amount or disbursement to a student who does not meet the eligibility requirements, MCW concurs and has put significant effort into adding additional change management and user access controls to the student information system. As stated above, these conditions occurred when MCW changed student information systems and began relying more heavily on automated controls within the student information system, instead of solely relying on manual controls outside of the system. Two areas that needed to be addressed were related to general information technology controls: 1. Users with certain administrative access rights have access to the underlying source code of the system and lack monitoring controls over these accounts regarding source code changes. 2. Password requirements for certain administrative accounts were not routinely changed. As of May 10, 2022, MCW implemented controls to address the matters noted above.
Finding 2022-002
Finding 2022-02 General Information Technology Controls Federal Agency: U.S. Department of Education Program Name: Student Financial Aid Cluster CFDA Number: Various Grant Identification Number: Various Grant Award Period: July 1, 2021 through June 30, 2022 Criteria The 2 CFR Section 200.303 requires that non federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition Found During test work performed over the Student Financial Aid Cluster, we noted that within the student information system (the system), certain general information technology controls surrounding change management and user access appeared to be missing or ineffectively designed. Specifically, users with certain administrative access rights have access to the underlying source code of the system and could implement changes directly in the system. There were no monitoring controls over these accounts regarding source code changes. In addition, the password to certain administrative accounts that are used to provision/de provision user access is not routinely changed, and thus could result in employees with inappropriate access. Cause A new student information system was implemented resulting in controls which previously were manual in nature, being replaced with automated controls within the system. As automated control reliance on the system increased, monitoring of system changes and policies surrounding access to administrator and super user accounts were not adequately considered or developed consistent with overall information technology policies and procedures in place at MCW. Effect If controls surrounding change management and user access are ineffectively designed, student financial aid may be disbursed in the incorrect amount or to a student who does not meet the eligibility requirements as stated in the Compliance Supplement. Questioned Costs None Statistically Valid Sample The sample was not intended to be, and was not, a statistically valid sample Repeat Finding Yes Recommendation We recommend MCW implement policies and procedures over monitoring of student financial aid system changes and user access. Management?s Response While manual controls mitigated the disbursement of an incorrect amount or disbursement to a student who does not meet the eligibility requirements, MCW concurs and has put significant effort into adding additional change management and user access controls to the student information system. As stated above, these conditions occurred when MCW changed student information systems and began relying more heavily on automated controls within the student information system, instead of solely relying on manual controls outside of the system. Two areas that needed to be addressed were related to general information technology controls: 1. Users with certain administrative access rights have access to the underlying source code of the system and lack monitoring controls over these accounts regarding source code changes. 2. Password requirements for certain administrative accounts were not routinely changed. As of May 10, 2022, MCW implemented controls to address the matters noted above.