FAC Explorer

Audit 344132

FY End
2024-05-31
Total Expended
$40.16M
Findings
8
Programs
10
Organization: Utica University (NY)
Year: 2024 Accepted: 2025-02-27
Auditor: Bonadio & CO LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
524699 2024-001 Significant Deficiency - N
524700 2024-001 Significant Deficiency - N
524701 2024-001 Significant Deficiency - N
524702 2024-001 Significant Deficiency - N
1101141 2024-001 Significant Deficiency - N
1101142 2024-001 Significant Deficiency - N
1101143 2024-001 Significant Deficiency - N
1101144 2024-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $33.75M Yes 1
84.063 Federal Pell Grant Program $5.00M Yes 1
84.033 Federal Work-Study Program $425,392 Yes 1
47.076 Stem Education (formerly Education and Human Resources) $316,635 - 0
84.042 Trio Student Support Services $271,316 - 0
84.007 Federal Supplemental Educational Opportunity Grants $197,542 Yes 1
11.620 Science, Technology, Business And/or Education Outreach $102,911 - 0
16.525 Grants to Reduce Domestic Violence, Dating Violence, Sexual Assault, and Stalking on Campus $48,784 - 0
47.050 Geosciences $42,881 - 0
10.559 Summer Food Service Program for Children $11,908 - 0

Contacts

Name Title Type
FSCUSJ12BVA8 Kristin Haag Auditee
3157923742 Joseph Peplin Auditor
No contacts on file

Notes to SEFA

Title: 1. GENERAL Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10% de minimis indirect cost rate as allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Utica University (the University) under programs of the federal government for the year ended May 31, 2024 and has been prepared in accordance with accounting principles generally accepted in the United States of America (GAAP). The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the University, it is not intended to and does not present the financial position, change in net assets, or cash flows of the University. Amounts included in the accompanying Schedule are actual expenditures for the year ended May 31, 2024. Differences between amounts included in the accompanying Schedule and amounts reported to funding agencies for these programs result from report timing.
Title: 4. FEDERAL PERKINS LOAN PROGRAM Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: N Rate Explanation: The University has elected not to use the 10% de minimis indirect cost rate as allowed under the Uniform Guidance. The Federal Perkins Loan Program is administered directly by the University and balances and transactions relating to this program are included in the University’s financial statements. The balance of loans outstanding under the Federal Perkins Loan Program was $118,503 with an allowance for credit losses of $21,044 at May 31, 2024.

Finding Details

Finding 2024-001
Finding 2024-001 U.S. Department of Education Student Financial Assistance Cluster Gramm Leach Bliley Act (GLBA) Criteria - Institutions participating in the Student Financial Assistance (SFA) program are required to comply with GLBA. GLBA requires institutions to implement certain written policies. Condition - The University does not have the following required written policies that are required under GLBA: • The written information security program does not include a change management policy. • A written information security staff training policy is not in place. • A written vendor management policy is not in place. Cause - The University has not established formal policies to ensure compliance with the GLBA requirements. Resource constraints and competing priorities were contributing factors. Effect - The University is not fully compliant with GLBA requirements. Recommendation - We recommend that the University develop and implement a comprehensive written information security program that addresses all minimum elements required by GLBA. Additionally, we recommend that the University establish a formal written policy for staff training on data security and privacy and develop and implement a vendor management policy to ensure third-party service providers safeguard customer information appropriately. Views of Responsible Officials – The University acknowledges the recommendation and is committed to implementing a comprehensive written information security program that fully addresses all GLBA requirements. The University has drafted a formal data security and privacy training policy for staff. The University currently requires faculty and staff to complete annual security and privacy trainings as directed through the employee handbook. The University has drafted a vendor management policy to ensure third-party service providers maintain appropriate safeguards for customer information. A dedicated security team will oversee the development and implementation of these measures, ensuring compliance with GLBA regulations and the protection of sensitive student data.
Finding 2024-001
Finding 2024-001 U.S. Department of Education Student Financial Assistance Cluster Gramm Leach Bliley Act (GLBA) Criteria - Institutions participating in the Student Financial Assistance (SFA) program are required to comply with GLBA. GLBA requires institutions to implement certain written policies. Condition - The University does not have the following required written policies that are required under GLBA: • The written information security program does not include a change management policy. • A written information security staff training policy is not in place. • A written vendor management policy is not in place. Cause - The University has not established formal policies to ensure compliance with the GLBA requirements. Resource constraints and competing priorities were contributing factors. Effect - The University is not fully compliant with GLBA requirements. Recommendation - We recommend that the University develop and implement a comprehensive written information security program that addresses all minimum elements required by GLBA. Additionally, we recommend that the University establish a formal written policy for staff training on data security and privacy and develop and implement a vendor management policy to ensure third-party service providers safeguard customer information appropriately. Views of Responsible Officials – The University acknowledges the recommendation and is committed to implementing a comprehensive written information security program that fully addresses all GLBA requirements. The University has drafted a formal data security and privacy training policy for staff. The University currently requires faculty and staff to complete annual security and privacy trainings as directed through the employee handbook. The University has drafted a vendor management policy to ensure third-party service providers maintain appropriate safeguards for customer information. A dedicated security team will oversee the development and implementation of these measures, ensuring compliance with GLBA regulations and the protection of sensitive student data.
Finding 2024-001
Finding 2024-001 U.S. Department of Education Student Financial Assistance Cluster Gramm Leach Bliley Act (GLBA) Criteria - Institutions participating in the Student Financial Assistance (SFA) program are required to comply with GLBA. GLBA requires institutions to implement certain written policies. Condition - The University does not have the following required written policies that are required under GLBA: • The written information security program does not include a change management policy. • A written information security staff training policy is not in place. • A written vendor management policy is not in place. Cause - The University has not established formal policies to ensure compliance with the GLBA requirements. Resource constraints and competing priorities were contributing factors. Effect - The University is not fully compliant with GLBA requirements. Recommendation - We recommend that the University develop and implement a comprehensive written information security program that addresses all minimum elements required by GLBA. Additionally, we recommend that the University establish a formal written policy for staff training on data security and privacy and develop and implement a vendor management policy to ensure third-party service providers safeguard customer information appropriately. Views of Responsible Officials – The University acknowledges the recommendation and is committed to implementing a comprehensive written information security program that fully addresses all GLBA requirements. The University has drafted a formal data security and privacy training policy for staff. The University currently requires faculty and staff to complete annual security and privacy trainings as directed through the employee handbook. The University has drafted a vendor management policy to ensure third-party service providers maintain appropriate safeguards for customer information. A dedicated security team will oversee the development and implementation of these measures, ensuring compliance with GLBA regulations and the protection of sensitive student data.
Finding 2024-001
Finding 2024-001 U.S. Department of Education Student Financial Assistance Cluster Gramm Leach Bliley Act (GLBA) Criteria - Institutions participating in the Student Financial Assistance (SFA) program are required to comply with GLBA. GLBA requires institutions to implement certain written policies. Condition - The University does not have the following required written policies that are required under GLBA: • The written information security program does not include a change management policy. • A written information security staff training policy is not in place. • A written vendor management policy is not in place. Cause - The University has not established formal policies to ensure compliance with the GLBA requirements. Resource constraints and competing priorities were contributing factors. Effect - The University is not fully compliant with GLBA requirements. Recommendation - We recommend that the University develop and implement a comprehensive written information security program that addresses all minimum elements required by GLBA. Additionally, we recommend that the University establish a formal written policy for staff training on data security and privacy and develop and implement a vendor management policy to ensure third-party service providers safeguard customer information appropriately. Views of Responsible Officials – The University acknowledges the recommendation and is committed to implementing a comprehensive written information security program that fully addresses all GLBA requirements. The University has drafted a formal data security and privacy training policy for staff. The University currently requires faculty and staff to complete annual security and privacy trainings as directed through the employee handbook. The University has drafted a vendor management policy to ensure third-party service providers maintain appropriate safeguards for customer information. A dedicated security team will oversee the development and implementation of these measures, ensuring compliance with GLBA regulations and the protection of sensitive student data.
Finding 2024-001
Finding 2024-001 U.S. Department of Education Student Financial Assistance Cluster Gramm Leach Bliley Act (GLBA) Criteria - Institutions participating in the Student Financial Assistance (SFA) program are required to comply with GLBA. GLBA requires institutions to implement certain written policies. Condition - The University does not have the following required written policies that are required under GLBA: • The written information security program does not include a change management policy. • A written information security staff training policy is not in place. • A written vendor management policy is not in place. Cause - The University has not established formal policies to ensure compliance with the GLBA requirements. Resource constraints and competing priorities were contributing factors. Effect - The University is not fully compliant with GLBA requirements. Recommendation - We recommend that the University develop and implement a comprehensive written information security program that addresses all minimum elements required by GLBA. Additionally, we recommend that the University establish a formal written policy for staff training on data security and privacy and develop and implement a vendor management policy to ensure third-party service providers safeguard customer information appropriately. Views of Responsible Officials – The University acknowledges the recommendation and is committed to implementing a comprehensive written information security program that fully addresses all GLBA requirements. The University has drafted a formal data security and privacy training policy for staff. The University currently requires faculty and staff to complete annual security and privacy trainings as directed through the employee handbook. The University has drafted a vendor management policy to ensure third-party service providers maintain appropriate safeguards for customer information. A dedicated security team will oversee the development and implementation of these measures, ensuring compliance with GLBA regulations and the protection of sensitive student data.
Finding 2024-001
Finding 2024-001 U.S. Department of Education Student Financial Assistance Cluster Gramm Leach Bliley Act (GLBA) Criteria - Institutions participating in the Student Financial Assistance (SFA) program are required to comply with GLBA. GLBA requires institutions to implement certain written policies. Condition - The University does not have the following required written policies that are required under GLBA: • The written information security program does not include a change management policy. • A written information security staff training policy is not in place. • A written vendor management policy is not in place. Cause - The University has not established formal policies to ensure compliance with the GLBA requirements. Resource constraints and competing priorities were contributing factors. Effect - The University is not fully compliant with GLBA requirements. Recommendation - We recommend that the University develop and implement a comprehensive written information security program that addresses all minimum elements required by GLBA. Additionally, we recommend that the University establish a formal written policy for staff training on data security and privacy and develop and implement a vendor management policy to ensure third-party service providers safeguard customer information appropriately. Views of Responsible Officials – The University acknowledges the recommendation and is committed to implementing a comprehensive written information security program that fully addresses all GLBA requirements. The University has drafted a formal data security and privacy training policy for staff. The University currently requires faculty and staff to complete annual security and privacy trainings as directed through the employee handbook. The University has drafted a vendor management policy to ensure third-party service providers maintain appropriate safeguards for customer information. A dedicated security team will oversee the development and implementation of these measures, ensuring compliance with GLBA regulations and the protection of sensitive student data.
Finding 2024-001
Finding 2024-001 U.S. Department of Education Student Financial Assistance Cluster Gramm Leach Bliley Act (GLBA) Criteria - Institutions participating in the Student Financial Assistance (SFA) program are required to comply with GLBA. GLBA requires institutions to implement certain written policies. Condition - The University does not have the following required written policies that are required under GLBA: • The written information security program does not include a change management policy. • A written information security staff training policy is not in place. • A written vendor management policy is not in place. Cause - The University has not established formal policies to ensure compliance with the GLBA requirements. Resource constraints and competing priorities were contributing factors. Effect - The University is not fully compliant with GLBA requirements. Recommendation - We recommend that the University develop and implement a comprehensive written information security program that addresses all minimum elements required by GLBA. Additionally, we recommend that the University establish a formal written policy for staff training on data security and privacy and develop and implement a vendor management policy to ensure third-party service providers safeguard customer information appropriately. Views of Responsible Officials – The University acknowledges the recommendation and is committed to implementing a comprehensive written information security program that fully addresses all GLBA requirements. The University has drafted a formal data security and privacy training policy for staff. The University currently requires faculty and staff to complete annual security and privacy trainings as directed through the employee handbook. The University has drafted a vendor management policy to ensure third-party service providers maintain appropriate safeguards for customer information. A dedicated security team will oversee the development and implementation of these measures, ensuring compliance with GLBA regulations and the protection of sensitive student data.
Finding 2024-001
Finding 2024-001 U.S. Department of Education Student Financial Assistance Cluster Gramm Leach Bliley Act (GLBA) Criteria - Institutions participating in the Student Financial Assistance (SFA) program are required to comply with GLBA. GLBA requires institutions to implement certain written policies. Condition - The University does not have the following required written policies that are required under GLBA: • The written information security program does not include a change management policy. • A written information security staff training policy is not in place. • A written vendor management policy is not in place. Cause - The University has not established formal policies to ensure compliance with the GLBA requirements. Resource constraints and competing priorities were contributing factors. Effect - The University is not fully compliant with GLBA requirements. Recommendation - We recommend that the University develop and implement a comprehensive written information security program that addresses all minimum elements required by GLBA. Additionally, we recommend that the University establish a formal written policy for staff training on data security and privacy and develop and implement a vendor management policy to ensure third-party service providers safeguard customer information appropriately. Views of Responsible Officials – The University acknowledges the recommendation and is committed to implementing a comprehensive written information security program that fully addresses all GLBA requirements. The University has drafted a formal data security and privacy training policy for staff. The University currently requires faculty and staff to complete annual security and privacy trainings as directed through the employee handbook. The University has drafted a vendor management policy to ensure third-party service providers maintain appropriate safeguards for customer information. A dedicated security team will oversee the development and implementation of these measures, ensuring compliance with GLBA regulations and the protection of sensitive student data.