FAC Explorer

Audit 342098

FY End
2024-05-31
Total Expended
$31.50M
Findings
10
Programs
15
Organization: Siena College (NY)
Year: 2024 Accepted: 2025-02-11
Auditor: Uhy LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
522710 2024-001 - - N
522711 2024-001 - - N
522712 2024-001 - - N
522713 2024-001 - - N
522714 2024-001 - - N
1099152 2024-001 - - N
1099153 2024-001 - - N
1099154 2024-001 - - N
1099155 2024-001 - - N
1099156 2024-001 - - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $24.22M Yes 1
84.063 Federal Pell Grant Program $4.80M Yes 1
45.130 Promotion of the Humanities Challenge Grants $500,000 - 0
84.038 Federal Perkins Loan Program $464,838 Yes 1
84.033 Federal Work-Study Program $450,000 Yes 1
97.036 Disaster Grants - Public Assistance (presidentially Declared Disasters) $224,781 - 0
84.007 Federal Supplemental Educational Opportunity Grants $221,947 Yes 1
47.049 Mathematical and Physical Sciences $174,117 - 0
94.013 Americorps Volunteers in Service to America 94.013 $97,404 - 0
47.076 Stem Education (formerly Education and Human Resources) $83,738 - 0
81.049 Office of Science Financial Assistance Program $81,932 - 0
93.243 Substance Abuse and Mental Health Services Projects of Regional and National Significance $81,830 - 0
93.859 Biomedical Research and Research Training $57,954 - 0
10.652 Forestry Research $26,471 - 0
43.001 Science $20,816 - 0

Contacts

Name Title Type
KAQDBUUAYKM8 Mary Strunk Auditee
5187832314 Alex Zhang Auditor
No contacts on file

Notes to SEFA

Title: NOTE 1 - DEFINITION OF REPORTING ENTITY Accounting Policies: The Schedule is presented on the accrual basis of accounting and in accordance with and the requirements of U.S. Code of Federal Regulations 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Therefore, some amounts presented in the Schedule may differ from amounts presented in, or used in the preparation of, the basic financial statements. De Minimis Rate Used: N Rate Explanation: Administrative costs are included in the reported expenditures to the extent such costs are included in the federal financial reports used as the source for the data presented. The College has not elected to utilize the 10% de minimis indirect cost rate as permitted by 2 CFR Section 200.414. The accompanying Schedule of Expenditures of Federal Awards (the Schedule) presents all expenditures of federal award programs of Siena College (the College) during the year ended May 31, 2024.
Title: NOTE 4 - STUDENT LOAN PROGRAMS Accounting Policies: The Schedule is presented on the accrual basis of accounting and in accordance with and the requirements of U.S. Code of Federal Regulations 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Therefore, some amounts presented in the Schedule may differ from amounts presented in, or used in the preparation of, the basic financial statements. De Minimis Rate Used: N Rate Explanation: Administrative costs are included in the reported expenditures to the extent such costs are included in the federal financial reports used as the source for the data presented. The College has not elected to utilize the 10% de minimis indirect cost rate as permitted by 2 CFR Section 200.414. Federal Perkins Loan Program For the year ended May 31, 2024, the College did not issue any loans under the Federal Perkins Loan Program and no administrative cost allowance was claimed. The outstanding balance of loans outstanding at May 31, 2024 and 2023 were $315,946 and $464,838, respectively. The expended funds reported on the Schedule represents the May 31, 2023 outstanding loan balance. Federal Direct Student Loan Program During the year ended May 31, 2024, the College processed $24,216,813 of new loans under the Federal Direct Student Loan Program (which includes subsidized and unsubsidized Direct Loans, Direct Parents’ Loans for Undergraduate Students, and Direct Parents’ Loans for Graduate Students). With respect to the Federal Direct Student Loan Program, the College is only responsible for the performance of certain administrative duties; therefore, the College’s financial statements do not include any amounts relative to these loans. The cumulative amount of total loans guaranteed and outstanding at May 31, 2024 is undeterminable.

Finding Details

Finding 2024-001
Federal Assistance Listing Number: Various – Student Financial Aid Cluster Criteria: Per 16 CFR 314.4 (c), the College is required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates. The College is also required to implement multifactor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement these safeguards by June 9, 2023. Condition: The College did not fully implement secure customer information disposal or multi-factor authentication by June 9, 2023, which was the effective deadline. Cause: The College is still working to implement the required secure customer information disposal. The College is also currently in the process of implementing multi-factor authentication on the Banner INB system. Effect: The College is not in compliance with the requirements set by the Safeguards Rule under the Gramm-Leach Bliley Act. Prevalence: Implementing secure customer information disposal proved to be more time consuming due to the volume of customer data. Implementing multi-factor authentication was more complicated and time consuming for the student information system Banner INB. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information. All other elements of the Safeguards Rule appear to be in place as required. Recommendation: The College should implement secure customer information disposal and multi-factor authentication for all systems as soon as possible and reference the related safeguards in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner. Management’s Response and Planned Corrective Action: The College is in the process of identifying customer data that should be disposed of or retained beyond two years. Management also acknowledged that implementation of multi-factor authentication for the Banner INB system has taken more time due to the complexity of the system in place. The secure customer information disposal and multi-factor authentication on the Banner INB system is expected to be implemented in 2025.
Finding 2024-001
Federal Assistance Listing Number: Various – Student Financial Aid Cluster Criteria: Per 16 CFR 314.4 (c), the College is required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates. The College is also required to implement multifactor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement these safeguards by June 9, 2023. Condition: The College did not fully implement secure customer information disposal or multi-factor authentication by June 9, 2023, which was the effective deadline. Cause: The College is still working to implement the required secure customer information disposal. The College is also currently in the process of implementing multi-factor authentication on the Banner INB system. Effect: The College is not in compliance with the requirements set by the Safeguards Rule under the Gramm-Leach Bliley Act. Prevalence: Implementing secure customer information disposal proved to be more time consuming due to the volume of customer data. Implementing multi-factor authentication was more complicated and time consuming for the student information system Banner INB. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information. All other elements of the Safeguards Rule appear to be in place as required. Recommendation: The College should implement secure customer information disposal and multi-factor authentication for all systems as soon as possible and reference the related safeguards in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner. Management’s Response and Planned Corrective Action: The College is in the process of identifying customer data that should be disposed of or retained beyond two years. Management also acknowledged that implementation of multi-factor authentication for the Banner INB system has taken more time due to the complexity of the system in place. The secure customer information disposal and multi-factor authentication on the Banner INB system is expected to be implemented in 2025.
Finding 2024-001
Federal Assistance Listing Number: Various – Student Financial Aid Cluster Criteria: Per 16 CFR 314.4 (c), the College is required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates. The College is also required to implement multifactor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement these safeguards by June 9, 2023. Condition: The College did not fully implement secure customer information disposal or multi-factor authentication by June 9, 2023, which was the effective deadline. Cause: The College is still working to implement the required secure customer information disposal. The College is also currently in the process of implementing multi-factor authentication on the Banner INB system. Effect: The College is not in compliance with the requirements set by the Safeguards Rule under the Gramm-Leach Bliley Act. Prevalence: Implementing secure customer information disposal proved to be more time consuming due to the volume of customer data. Implementing multi-factor authentication was more complicated and time consuming for the student information system Banner INB. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information. All other elements of the Safeguards Rule appear to be in place as required. Recommendation: The College should implement secure customer information disposal and multi-factor authentication for all systems as soon as possible and reference the related safeguards in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner. Management’s Response and Planned Corrective Action: The College is in the process of identifying customer data that should be disposed of or retained beyond two years. Management also acknowledged that implementation of multi-factor authentication for the Banner INB system has taken more time due to the complexity of the system in place. The secure customer information disposal and multi-factor authentication on the Banner INB system is expected to be implemented in 2025.
Finding 2024-001
Federal Assistance Listing Number: Various – Student Financial Aid Cluster Criteria: Per 16 CFR 314.4 (c), the College is required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates. The College is also required to implement multifactor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement these safeguards by June 9, 2023. Condition: The College did not fully implement secure customer information disposal or multi-factor authentication by June 9, 2023, which was the effective deadline. Cause: The College is still working to implement the required secure customer information disposal. The College is also currently in the process of implementing multi-factor authentication on the Banner INB system. Effect: The College is not in compliance with the requirements set by the Safeguards Rule under the Gramm-Leach Bliley Act. Prevalence: Implementing secure customer information disposal proved to be more time consuming due to the volume of customer data. Implementing multi-factor authentication was more complicated and time consuming for the student information system Banner INB. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information. All other elements of the Safeguards Rule appear to be in place as required. Recommendation: The College should implement secure customer information disposal and multi-factor authentication for all systems as soon as possible and reference the related safeguards in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner. Management’s Response and Planned Corrective Action: The College is in the process of identifying customer data that should be disposed of or retained beyond two years. Management also acknowledged that implementation of multi-factor authentication for the Banner INB system has taken more time due to the complexity of the system in place. The secure customer information disposal and multi-factor authentication on the Banner INB system is expected to be implemented in 2025.
Finding 2024-001
Federal Assistance Listing Number: Various – Student Financial Aid Cluster Criteria: Per 16 CFR 314.4 (c), the College is required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates. The College is also required to implement multifactor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement these safeguards by June 9, 2023. Condition: The College did not fully implement secure customer information disposal or multi-factor authentication by June 9, 2023, which was the effective deadline. Cause: The College is still working to implement the required secure customer information disposal. The College is also currently in the process of implementing multi-factor authentication on the Banner INB system. Effect: The College is not in compliance with the requirements set by the Safeguards Rule under the Gramm-Leach Bliley Act. Prevalence: Implementing secure customer information disposal proved to be more time consuming due to the volume of customer data. Implementing multi-factor authentication was more complicated and time consuming for the student information system Banner INB. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information. All other elements of the Safeguards Rule appear to be in place as required. Recommendation: The College should implement secure customer information disposal and multi-factor authentication for all systems as soon as possible and reference the related safeguards in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner. Management’s Response and Planned Corrective Action: The College is in the process of identifying customer data that should be disposed of or retained beyond two years. Management also acknowledged that implementation of multi-factor authentication for the Banner INB system has taken more time due to the complexity of the system in place. The secure customer information disposal and multi-factor authentication on the Banner INB system is expected to be implemented in 2025.
Finding 2024-001
Federal Assistance Listing Number: Various – Student Financial Aid Cluster Criteria: Per 16 CFR 314.4 (c), the College is required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates. The College is also required to implement multifactor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement these safeguards by June 9, 2023. Condition: The College did not fully implement secure customer information disposal or multi-factor authentication by June 9, 2023, which was the effective deadline. Cause: The College is still working to implement the required secure customer information disposal. The College is also currently in the process of implementing multi-factor authentication on the Banner INB system. Effect: The College is not in compliance with the requirements set by the Safeguards Rule under the Gramm-Leach Bliley Act. Prevalence: Implementing secure customer information disposal proved to be more time consuming due to the volume of customer data. Implementing multi-factor authentication was more complicated and time consuming for the student information system Banner INB. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information. All other elements of the Safeguards Rule appear to be in place as required. Recommendation: The College should implement secure customer information disposal and multi-factor authentication for all systems as soon as possible and reference the related safeguards in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner. Management’s Response and Planned Corrective Action: The College is in the process of identifying customer data that should be disposed of or retained beyond two years. Management also acknowledged that implementation of multi-factor authentication for the Banner INB system has taken more time due to the complexity of the system in place. The secure customer information disposal and multi-factor authentication on the Banner INB system is expected to be implemented in 2025.
Finding 2024-001
Federal Assistance Listing Number: Various – Student Financial Aid Cluster Criteria: Per 16 CFR 314.4 (c), the College is required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates. The College is also required to implement multifactor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement these safeguards by June 9, 2023. Condition: The College did not fully implement secure customer information disposal or multi-factor authentication by June 9, 2023, which was the effective deadline. Cause: The College is still working to implement the required secure customer information disposal. The College is also currently in the process of implementing multi-factor authentication on the Banner INB system. Effect: The College is not in compliance with the requirements set by the Safeguards Rule under the Gramm-Leach Bliley Act. Prevalence: Implementing secure customer information disposal proved to be more time consuming due to the volume of customer data. Implementing multi-factor authentication was more complicated and time consuming for the student information system Banner INB. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information. All other elements of the Safeguards Rule appear to be in place as required. Recommendation: The College should implement secure customer information disposal and multi-factor authentication for all systems as soon as possible and reference the related safeguards in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner. Management’s Response and Planned Corrective Action: The College is in the process of identifying customer data that should be disposed of or retained beyond two years. Management also acknowledged that implementation of multi-factor authentication for the Banner INB system has taken more time due to the complexity of the system in place. The secure customer information disposal and multi-factor authentication on the Banner INB system is expected to be implemented in 2025.
Finding 2024-001
Federal Assistance Listing Number: Various – Student Financial Aid Cluster Criteria: Per 16 CFR 314.4 (c), the College is required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates. The College is also required to implement multifactor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement these safeguards by June 9, 2023. Condition: The College did not fully implement secure customer information disposal or multi-factor authentication by June 9, 2023, which was the effective deadline. Cause: The College is still working to implement the required secure customer information disposal. The College is also currently in the process of implementing multi-factor authentication on the Banner INB system. Effect: The College is not in compliance with the requirements set by the Safeguards Rule under the Gramm-Leach Bliley Act. Prevalence: Implementing secure customer information disposal proved to be more time consuming due to the volume of customer data. Implementing multi-factor authentication was more complicated and time consuming for the student information system Banner INB. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information. All other elements of the Safeguards Rule appear to be in place as required. Recommendation: The College should implement secure customer information disposal and multi-factor authentication for all systems as soon as possible and reference the related safeguards in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner. Management’s Response and Planned Corrective Action: The College is in the process of identifying customer data that should be disposed of or retained beyond two years. Management also acknowledged that implementation of multi-factor authentication for the Banner INB system has taken more time due to the complexity of the system in place. The secure customer information disposal and multi-factor authentication on the Banner INB system is expected to be implemented in 2025.
Finding 2024-001
Federal Assistance Listing Number: Various – Student Financial Aid Cluster Criteria: Per 16 CFR 314.4 (c), the College is required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates. The College is also required to implement multifactor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement these safeguards by June 9, 2023. Condition: The College did not fully implement secure customer information disposal or multi-factor authentication by June 9, 2023, which was the effective deadline. Cause: The College is still working to implement the required secure customer information disposal. The College is also currently in the process of implementing multi-factor authentication on the Banner INB system. Effect: The College is not in compliance with the requirements set by the Safeguards Rule under the Gramm-Leach Bliley Act. Prevalence: Implementing secure customer information disposal proved to be more time consuming due to the volume of customer data. Implementing multi-factor authentication was more complicated and time consuming for the student information system Banner INB. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information. All other elements of the Safeguards Rule appear to be in place as required. Recommendation: The College should implement secure customer information disposal and multi-factor authentication for all systems as soon as possible and reference the related safeguards in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner. Management’s Response and Planned Corrective Action: The College is in the process of identifying customer data that should be disposed of or retained beyond two years. Management also acknowledged that implementation of multi-factor authentication for the Banner INB system has taken more time due to the complexity of the system in place. The secure customer information disposal and multi-factor authentication on the Banner INB system is expected to be implemented in 2025.
Finding 2024-001
Federal Assistance Listing Number: Various – Student Financial Aid Cluster Criteria: Per 16 CFR 314.4 (c), the College is required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates. The College is also required to implement multifactor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement these safeguards by June 9, 2023. Condition: The College did not fully implement secure customer information disposal or multi-factor authentication by June 9, 2023, which was the effective deadline. Cause: The College is still working to implement the required secure customer information disposal. The College is also currently in the process of implementing multi-factor authentication on the Banner INB system. Effect: The College is not in compliance with the requirements set by the Safeguards Rule under the Gramm-Leach Bliley Act. Prevalence: Implementing secure customer information disposal proved to be more time consuming due to the volume of customer data. Implementing multi-factor authentication was more complicated and time consuming for the student information system Banner INB. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information. All other elements of the Safeguards Rule appear to be in place as required. Recommendation: The College should implement secure customer information disposal and multi-factor authentication for all systems as soon as possible and reference the related safeguards in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner. Management’s Response and Planned Corrective Action: The College is in the process of identifying customer data that should be disposed of or retained beyond two years. Management also acknowledged that implementation of multi-factor authentication for the Banner INB system has taken more time due to the complexity of the system in place. The secure customer information disposal and multi-factor authentication on the Banner INB system is expected to be implemented in 2025.