FAC Explorer

Audit 344285

FY End
2024-06-30
Total Expended
$19.03M
Findings
50
Programs
15
Organization: Howard Community College (MD)
Year: 2024 Accepted: 2025-02-28
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
524914 2024-003 Significant Deficiency - N
524915 2024-004 Significant Deficiency - L
524916 2024-005 Significant Deficiency - N
524917 2024-003 Significant Deficiency - N
524918 2024-004 Significant Deficiency - L
524919 2024-005 Significant Deficiency - N
524920 2024-002 Significant Deficiency - N
524921 2024-003 Significant Deficiency - N
524922 2024-004 Significant Deficiency - L
524923 2024-005 Significant Deficiency - N
524924 2024-002 Significant Deficiency - N
524925 2024-003 Significant Deficiency - N
524926 2024-004 Significant Deficiency - L
524927 2024-005 Significant Deficiency - N
524928 2024-003 Significant Deficiency - N
524929 2024-004 Significant Deficiency - L
524930 2024-005 Significant Deficiency - N
524931 2024-002 Significant Deficiency - N
524932 2024-003 Significant Deficiency - N
524933 2024-004 Significant Deficiency - L
524934 2024-005 Significant Deficiency - N
524935 2024-002 Significant Deficiency - N
524936 2024-003 Significant Deficiency - N
524937 2024-004 Significant Deficiency - L
524938 2024-005 Significant Deficiency - N
1101356 2024-003 Significant Deficiency - N
1101357 2024-004 Significant Deficiency - L
1101358 2024-005 Significant Deficiency - N
1101359 2024-003 Significant Deficiency - N
1101360 2024-004 Significant Deficiency - L
1101361 2024-005 Significant Deficiency - N
1101362 2024-002 Significant Deficiency - N
1101363 2024-003 Significant Deficiency - N
1101364 2024-004 Significant Deficiency - L
1101365 2024-005 Significant Deficiency - N
1101366 2024-002 Significant Deficiency - N
1101367 2024-003 Significant Deficiency - N
1101368 2024-004 Significant Deficiency - L
1101369 2024-005 Significant Deficiency - N
1101370 2024-003 Significant Deficiency - N
1101371 2024-004 Significant Deficiency - L
1101372 2024-005 Significant Deficiency - N
1101373 2024-002 Significant Deficiency - N
1101374 2024-003 Significant Deficiency - N
1101375 2024-004 Significant Deficiency - L
1101376 2024-005 Significant Deficiency - N
1101377 2024-002 Significant Deficiency - N
1101378 2024-003 Significant Deficiency - N
1101379 2024-004 Significant Deficiency - L
1101380 2024-005 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
21.027 Coronavirus State and Local Fiscal Recovery Funds $981,240 Yes 0
93.575 Child Care and Development Block Grant $777,046 Yes 0
84.002 Adult Education - Basic Grants to States $611,872 - 0
84.063 Federal Pell Grant Program $233,486 Yes 4
84.033 Federal Work-Study Program $220,087 Yes 3
84.425 Education Stabilization Fund $150,559 - 0
84.048 Career and Technical Education -- Basic Grants to States $95,787 - 0
12.900 2023 Startalk Student Program $81,912 - 0
17.285 Registered Apprenticeship $34,317 - 0
84.007 Federal Supplemental Educational Opportunity Grants $33,892 Yes 3
84.268 Federal Direct Student Loans $33,256 Yes 4
47.076 Stem Education (formerly Education and Human Resources) $8,527 - 0
84.335 Child Care Access Means Parents in School $7,520 - 0
93.391 Activities to Support State, Tribal, Local and Territorial (stlt) Health Department Response to Public Health Or Healthcare Crises $5,301 - 0
12.900 2021 Grant Program - Howard Community College $2,726 - 0

Contacts

Name Title Type
KHMCDWQ3LHZ3 Tyria Stone Auditee
4435184749 Christina Bowman Auditor
No contacts on file

Notes to SEFA

Title: LOANS OUTSTANDING Accounting Policies: Summary of Significant Accounting Policies Expenditures reported on the Schedule of Expenditures of Federal Awards (the Schedule) are recognized following Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), wherein certain types of expenditures are not allowable or are limited as to reimbursement. The College has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. Negative amounts on the SEFA represent refunds related to prior year grant awards. Basis of Presentation The accompanying Schedule includes the Federal award activity of the College under programs of the Federal government for the year ended June 30, 2024, and is presented on the accrual basis of accounting. The information in this Schedule is presented in accordance with the requirements of Uniform Guidance. De Minimis Rate Used: N Rate Explanation: he College has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. Negative amounts on the SEFA represent refunds related to prior year grant awards. During the year ended June 30, 2024, the College processed the following amount of new loans under the Federal Direct Lending Loan Program. Since this program is administered by outside financial institutions, only the value of new loans made during the fiscal year relating to this program are considered current year expenditures in the Schedule of Expenditures of Federal Awards. The outstanding balance of loans made in previous periods is not included as Federal awards expended because the lender accounts for the prior balances. Federal Grantor/Pass-Through Federal Assistance Pass-Through Entity/ Federal Grantor/Program or Cluster Title Listing Number Identifying Number Expenditures Federal Direct Lending - FY24 84.268 P268K243052 $4,993,909 Federal Direct Lending - FY23 84.268 P268K233052 33,256 $5,027,165
Title: RECONCILIATION TO AUDITED FINANCIAL STATEMENTS Accounting Policies: Summary of Significant Accounting Policies Expenditures reported on the Schedule of Expenditures of Federal Awards (the Schedule) are recognized following Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), wherein certain types of expenditures are not allowable or are limited as to reimbursement. The College has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. Negative amounts on the SEFA represent refunds related to prior year grant awards. Basis of Presentation The accompanying Schedule includes the Federal award activity of the College under programs of the Federal government for the year ended June 30, 2024, and is presented on the accrual basis of accounting. The information in this Schedule is presented in accordance with the requirements of Uniform Guidance. De Minimis Rate Used: N Rate Explanation: he College has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. Negative amounts on the SEFA represent refunds related to prior year grant awards. Federal Grants per Audited Financial Statements - $14,005,700 Direct Loans per Schedule of Federal Expenditures - $5,027,165 Total Expenditures per Schedule of Federal Expenditures - $19,032,865
Title: STUDENT FINANCIAL AID INSTITUTIONAL AND PROGRAM ELIGIBILTY METRICS Accounting Policies: Summary of Significant Accounting Policies Expenditures reported on the Schedule of Expenditures of Federal Awards (the Schedule) are recognized following Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), wherein certain types of expenditures are not allowable or are limited as to reimbursement. The College has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. Negative amounts on the SEFA represent refunds related to prior year grant awards. Basis of Presentation The accompanying Schedule includes the Federal award activity of the College under programs of the Federal government for the year ended June 30, 2024, and is presented on the accrual basis of accounting. The information in this Schedule is presented in accordance with the requirements of Uniform Guidance. De Minimis Rate Used: N Rate Explanation: he College has elected not to use the 10-percent de minimis indirect cost rate as allowed under the Uniform Guidance. Negative amounts on the SEFA represent refunds related to prior year grant awards. The Institution is in compliance with the following institutional and program eligibility requirements under the Higher Education Act of 1965 and Federal regulations under 34 CFR 668.23: - Correspondence courses the institution offers under 34 CFR 600.7(b) and (g) - Regular students that enroll in correspondence courses under 34 CFR 600.7(b) and (g) - Institution’s regular students that are incarcerated under 34 CFR 600.7(c) and (g) - Completion rates for confined or incarcerated individuals enrolled in non-degree programs at nonprofit institutions under 34 CFR 600.7(c)(3)(ii) and (g) - Institution’s regular students that lack a high school diploma or its equivalent under 34 CFR 600.7(d) and (g) - Completion rates for short-term programs under 34 CFR 668.8(f) and (g) - Placement rates for short-term programs under https://www.ecfr.gov/current/title-34/subtitle-B/chapter-VI/part-668/subpart-A/section-668.8 34 CFR 668.8(e)(2)

Finding Details

Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
2024 – 002: Special Tests and Provisions – NSLDS Enrollment & Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Code of Federal Regulations, 34 CFR 685.309(b), states that: Institutions must have some arrangement to report student enrollment data to NSLDS through an enrollment roster file. The institution is required to report changes in the enrollment status, the effective date of the status, and an anticipated completion date. Also, the Code of Federal Regulations, 34 CFR 682.610, states that institutions must report accurately the enrollment status of all students regardless of if they receive aid from the institution or not. Condition: During testing of the enrollment status reporting, we noted that the incorrect enrollment status and effective date was reported in NSLDS. Questioned Costs: None Context: • The enrollment status was incorrectly reported for 6 out of 40 students. • The enrollment effective date was incorrectly reported for 4 out of 40 students. Cause: These errors are a result of issues with the student information system. Effect: Student enrollment status was not reported accurately and/or timely to NSLDS. Repeat Finding: No Recommendation: The institution should evaluate their procedures and policies related to reporting status changes and effective dates to NSLDS and enhance as deemed necessary to ensure that accurate information is reported to NSLDS. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
2024 – 002: Special Tests and Provisions – NSLDS Enrollment & Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Code of Federal Regulations, 34 CFR 685.309(b), states that: Institutions must have some arrangement to report student enrollment data to NSLDS through an enrollment roster file. The institution is required to report changes in the enrollment status, the effective date of the status, and an anticipated completion date. Also, the Code of Federal Regulations, 34 CFR 682.610, states that institutions must report accurately the enrollment status of all students regardless of if they receive aid from the institution or not. Condition: During testing of the enrollment status reporting, we noted that the incorrect enrollment status and effective date was reported in NSLDS. Questioned Costs: None Context: • The enrollment status was incorrectly reported for 6 out of 40 students. • The enrollment effective date was incorrectly reported for 4 out of 40 students. Cause: These errors are a result of issues with the student information system. Effect: Student enrollment status was not reported accurately and/or timely to NSLDS. Repeat Finding: No Recommendation: The institution should evaluate their procedures and policies related to reporting status changes and effective dates to NSLDS and enhance as deemed necessary to ensure that accurate information is reported to NSLDS. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
2024 – 002: Special Tests and Provisions – NSLDS Enrollment & Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Code of Federal Regulations, 34 CFR 685.309(b), states that: Institutions must have some arrangement to report student enrollment data to NSLDS through an enrollment roster file. The institution is required to report changes in the enrollment status, the effective date of the status, and an anticipated completion date. Also, the Code of Federal Regulations, 34 CFR 682.610, states that institutions must report accurately the enrollment status of all students regardless of if they receive aid from the institution or not. Condition: During testing of the enrollment status reporting, we noted that the incorrect enrollment status and effective date was reported in NSLDS. Questioned Costs: None Context: • The enrollment status was incorrectly reported for 6 out of 40 students. • The enrollment effective date was incorrectly reported for 4 out of 40 students. Cause: These errors are a result of issues with the student information system. Effect: Student enrollment status was not reported accurately and/or timely to NSLDS. Repeat Finding: No Recommendation: The institution should evaluate their procedures and policies related to reporting status changes and effective dates to NSLDS and enhance as deemed necessary to ensure that accurate information is reported to NSLDS. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
2024 – 002: Special Tests and Provisions – NSLDS Enrollment & Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Code of Federal Regulations, 34 CFR 685.309(b), states that: Institutions must have some arrangement to report student enrollment data to NSLDS through an enrollment roster file. The institution is required to report changes in the enrollment status, the effective date of the status, and an anticipated completion date. Also, the Code of Federal Regulations, 34 CFR 682.610, states that institutions must report accurately the enrollment status of all students regardless of if they receive aid from the institution or not. Condition: During testing of the enrollment status reporting, we noted that the incorrect enrollment status and effective date was reported in NSLDS. Questioned Costs: None Context: • The enrollment status was incorrectly reported for 6 out of 40 students. • The enrollment effective date was incorrectly reported for 4 out of 40 students. Cause: These errors are a result of issues with the student information system. Effect: Student enrollment status was not reported accurately and/or timely to NSLDS. Repeat Finding: No Recommendation: The institution should evaluate their procedures and policies related to reporting status changes and effective dates to NSLDS and enhance as deemed necessary to ensure that accurate information is reported to NSLDS. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
2024 – 002: Special Tests and Provisions – NSLDS Enrollment & Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Code of Federal Regulations, 34 CFR 685.309(b), states that: Institutions must have some arrangement to report student enrollment data to NSLDS through an enrollment roster file. The institution is required to report changes in the enrollment status, the effective date of the status, and an anticipated completion date. Also, the Code of Federal Regulations, 34 CFR 682.610, states that institutions must report accurately the enrollment status of all students regardless of if they receive aid from the institution or not. Condition: During testing of the enrollment status reporting, we noted that the incorrect enrollment status and effective date was reported in NSLDS. Questioned Costs: None Context: • The enrollment status was incorrectly reported for 6 out of 40 students. • The enrollment effective date was incorrectly reported for 4 out of 40 students. Cause: These errors are a result of issues with the student information system. Effect: Student enrollment status was not reported accurately and/or timely to NSLDS. Repeat Finding: No Recommendation: The institution should evaluate their procedures and policies related to reporting status changes and effective dates to NSLDS and enhance as deemed necessary to ensure that accurate information is reported to NSLDS. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
2024 – 002: Special Tests and Provisions – NSLDS Enrollment & Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Code of Federal Regulations, 34 CFR 685.309(b), states that: Institutions must have some arrangement to report student enrollment data to NSLDS through an enrollment roster file. The institution is required to report changes in the enrollment status, the effective date of the status, and an anticipated completion date. Also, the Code of Federal Regulations, 34 CFR 682.610, states that institutions must report accurately the enrollment status of all students regardless of if they receive aid from the institution or not. Condition: During testing of the enrollment status reporting, we noted that the incorrect enrollment status and effective date was reported in NSLDS. Questioned Costs: None Context: • The enrollment status was incorrectly reported for 6 out of 40 students. • The enrollment effective date was incorrectly reported for 4 out of 40 students. Cause: These errors are a result of issues with the student information system. Effect: Student enrollment status was not reported accurately and/or timely to NSLDS. Repeat Finding: No Recommendation: The institution should evaluate their procedures and policies related to reporting status changes and effective dates to NSLDS and enhance as deemed necessary to ensure that accurate information is reported to NSLDS. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
2024 – 002: Special Tests and Provisions – NSLDS Enrollment & Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Code of Federal Regulations, 34 CFR 685.309(b), states that: Institutions must have some arrangement to report student enrollment data to NSLDS through an enrollment roster file. The institution is required to report changes in the enrollment status, the effective date of the status, and an anticipated completion date. Also, the Code of Federal Regulations, 34 CFR 682.610, states that institutions must report accurately the enrollment status of all students regardless of if they receive aid from the institution or not. Condition: During testing of the enrollment status reporting, we noted that the incorrect enrollment status and effective date was reported in NSLDS. Questioned Costs: None Context: • The enrollment status was incorrectly reported for 6 out of 40 students. • The enrollment effective date was incorrectly reported for 4 out of 40 students. Cause: These errors are a result of issues with the student information system. Effect: Student enrollment status was not reported accurately and/or timely to NSLDS. Repeat Finding: No Recommendation: The institution should evaluate their procedures and policies related to reporting status changes and effective dates to NSLDS and enhance as deemed necessary to ensure that accurate information is reported to NSLDS. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-002
2024 – 002: Special Tests and Provisions – NSLDS Enrollment & Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Code of Federal Regulations, 34 CFR 685.309(b), states that: Institutions must have some arrangement to report student enrollment data to NSLDS through an enrollment roster file. The institution is required to report changes in the enrollment status, the effective date of the status, and an anticipated completion date. Also, the Code of Federal Regulations, 34 CFR 682.610, states that institutions must report accurately the enrollment status of all students regardless of if they receive aid from the institution or not. Condition: During testing of the enrollment status reporting, we noted that the incorrect enrollment status and effective date was reported in NSLDS. Questioned Costs: None Context: • The enrollment status was incorrectly reported for 6 out of 40 students. • The enrollment effective date was incorrectly reported for 4 out of 40 students. Cause: These errors are a result of issues with the student information system. Effect: Student enrollment status was not reported accurately and/or timely to NSLDS. Repeat Finding: No Recommendation: The institution should evaluate their procedures and policies related to reporting status changes and effective dates to NSLDS and enhance as deemed necessary to ensure that accurate information is reported to NSLDS. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-003
Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned Costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2024: - Assess apps developed by the institution - Implement multi-factor authentication for anyone accessing customer information on the institution’s system - Dispose of customer information securely - Anticipate and evaluate changes to the information system or network. - Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. - Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). - Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). - Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Cause: These deficiencies were primarily due to insufficient resources and oversight dedicated to the development and maintenance of the written information security program. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-004
2024 – 004: Fiscal Operations Report and Application to Participate (FISAP) Reporting Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance - The Code of Federal Regulations, 34 CFR 668.24(e)(i) requires an institution to maintain records to support the data contained in the FISAP. Condition: The documents retained by the University to support amounts included in the FISAP did not agree to the FISAP. Questioned Costs: None Context: The enrollment count reported in the FISAP did not agree to supporting documentation. Cause: These errors are a result of issues with the student information system. Effect: The information in the FISAP is utilized to assist in the awarding of future awards and incorrect data could negatively impact future awards. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and verification processes to ensure the accuracy of data reported in the FISAP. This may include creating a formalized review process for the FISAP and ensuring all supporting schedules used to populate the form are centrally stored. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2024-005
2024 – 005: Population for Return of Title IV Funds Federal Agency: U.S. Department of Education Federal Program Name: Student Financial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P063P233052, P063P223052, P268K243052, P268K233052, P007A231754, P007A221754, P033A231754 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The College was unable to provide the required population for the students that withdrew during the fiscal year in a timely manner. Questioned Costs: None Context: The College does not have a process in place to identify students who have withdrawn and received Title IV funds. Cause: Currently, the collection of this information is a very manual process that caused the delay. Effect: The College’s single audit may be delayed. Repeat Finding: No Recommendation: It is recommended that the College strengthens its internal controls and improves coordination among departments to ensure timely submission of required data for the Return of Funds. This may include implementing a more robust tracking system, providing additional training to staff, and establishing clear deadlines and responsibilities for data submission. Views of responsible officials: There is no disagreement with the audit finding.